Thread Algebra with Prospecting Services and Foresight Patterns

Abstract

Thread algebra is a domain-specific process algebra which may be used for semantic work on sequential systems, including systems based on deterministically scheduled multi-threading. Thread algebra is used in this capacity with the forecasting phenomenon for programs and machines as a domain of interest. Several new informal notions are proposed: prospecting services, foresight patterns for systems, and lookahead conditions as a mechanism for the specification of services. Some new prospecting services are proposed which facilitate the realisation of certain foresight patterns. Several negative results about the non-realisability of certain foresight patterns are provided.

1. Introduction

Thread algebra [1] is a domain-specific process algebra, which is tailor made for providing semantics for imperative programs in the form of instruction sequences written in the notation of the program algebra PGA of [2]. For introductions to program algebra, instruction sequences and thread algebra we refer to [3], and for more comprehensive information, to [4]. For more information on thread algebra we mention [5,6]. A comprehensive example of the use of notations from process algebra and thread algebra can be found in [7]. Below, the phrase “instruction sequence” will refer to an instruction sequence in one of the notations provided by program algebra, and thread will refer to an element of the domain of a thread algebra.

Thread algebra offers constants $\mathtt{S}$ (stop) for a properly terminating thread and $\mathtt{D}$ (deadlock/divergence) for an improperly terminating thread. With threads $\mathtt{P}$ and $\mathtt{Q}$ also $R\equiv \mathtt{P}⊴\mathtt{f}.\mathtt{m}⊵\mathtt{Q}$ is a thread. A non-terminating (run of a) thread performs an infinite number of subsequent method calls. Non-termination differs from divergence in that divergence may involve an infinite number of subsequent internal steps, while non-termination involves an infinity of externally visible steps, viz. the subsequent method calls.

The idea is that $\mathtt{f}.\mathtt{m}$ constitutes a method call, where a component accessible under the name (focus) $\mathtt{f}$ is asked to process a method call $\mathtt{m}$. Processing a method will change the state of the component which performs that task, and moreover, it will produce a result in the form of a Boolean value. If $\mathtt{true}$ is returned, the thread $\mathtt{R}$ proceeds as $\mathtt{P}$ and if $\mathtt{false}$ is returned, the thread proceeds as $\mathtt{Q}$. Components able to process method calls are called services. A focus $\mathtt{f}$ and a service $\mathtt{H}$ made accessible under focus $\mathtt{f}$ are combined as a service in focus $\mathtt{f}.\mathtt{H}$. A thread and a service in focus can cooperate in different ways: use (denoted $\mathtt{P}/\mathtt{f}.\mathtt{H})$, apply (denoted $\mathtt{P}•\mathtt{f}.\mathtt{H})$, and reply (denoted $\mathtt{P}!\mathtt{f}.\mathtt{H})$. In the case of use, the service is used for computing a thread; in the case of apply, the thread transforms the service which will contain inputs before a run of the thread is started and outputs upon termination of the run said thread; and in case of reply, a mere Boolean value is computed. Use and apply represent extremes of the different way a sequential process may deal with data: data may support the computation of a more complicated process, and the sequential process is used for computing a function which is applied to the data. Below, we will only consider the case of use.

A representation of thread algebra terms of the process algebra ACP (as defined in [8]) is given in [4,9]. The idea is that a thread P is represented by a process $♮\left(\mathtt{P}\right)$ and a service $\mathtt{H}$ is represented by a process $♮\left(\mathtt{H}\right)$. ♮ is the thread/service to process projection, which may be alternatively be denoted by $\mathtt{ts}\mathtt{2}\mathtt{p}$. In particular, using ACP notation for actions for sending and reading along a port, and communication thereof (as used in [10] and later):

$$♮(\mathtt{P}⊴\mathtt{f}.\mathtt{m}⊵\mathtt{Q})={\mathtt{s}}_{\mathtt{f}}\left(\mathtt{m}\right)·({\mathtt{r}}_{\mathtt{f}}\left(\mathtt{true}\right)·♮\left(\mathtt{P}\right)+{\mathtt{r}}_{\mathtt{f}}\left(\mathtt{false}\right)·♮\left(\mathtt{Q}\right))$$

$\mathtt{P}•\mathtt{f}.\mathtt{H}$ is represented by a parallel composition $♮(\mathtt{P}•\mathtt{f}.\mathtt{H})={\partial }_{\mathtt{RS}}(♮\left(\mathtt{P}\right)||♮(\mathtt{f}.\mathtt{H}))$ of a representation $♮\left(\mathtt{P}\right)$ of $\mathtt{P}$ and a representation $♮(\mathtt{f}.\mathtt{H})$ of $\mathtt{f}.\mathtt{H}$. Here ${\partial }_{\mathtt{RS}}$ is the encapsulation operator which guarantees that corresponding send and receive actions, together collected in the set $\mathtt{RS}$, will synchronize. A state of a service $\mathtt{H}\left(\mathtt{s}\right)$ then takes the following form:

$$♮\left(\mathtt{H}\left(\mathtt{s}\right)\right)=\sum _{\mathtt{m}\in \mathtt{J}}(\mathtt{r}\left(\mathtt{m}\right)·\mathtt{s}(\theta (\mathtt{m},\mathtt{s}))·♮(\mathtt{H}(\eta (\mathtt{m},\mathtt{s},\theta (\mathtt{m},\mathtt{s})\left)\right))$$

Here $\theta (\mathtt{m},\mathtt{s})$ is a Boolean condition which determines the reply value of the service on the call of method $\mathtt{m}$: if $\theta (\mathtt{m},\mathtt{s})=\mathtt{true}$, then the reply value is $\mathtt{true}$ and if $\theta (\mathtt{m},\mathtt{s})=\mathtt{false}$, then the reply value is $\mathtt{false}$. The function $\eta$ determines the state of the service after a reply has been returned. The follow-up state depends on the original state $\mathtt{s}$, the method involved and the reply value $\theta (\mathtt{m},\mathtt{s})$ that has been returned.

For an ordinary service $\mathtt{H}$, $\theta (-,-)$ the so-called reply condition, and $\eta (-,-,-)$, the so-called effect function, are functions. In the case of an infinite state space, it is plausible that both functions are computable. Throughout the paper, we will assume that $\eta$ is a function, while $\theta$ may depend on other attributes of a system in which the service operates. If $\theta (-,-)$ is a function, i.e., it depends on $\mathtt{m}$ and $\mathtt{s}$ only, the service is called ordinary.

The following equivalent form is more suggestive about the fact that for each method call, the corresponding reply conditions must be evaluated just once. Here, $\mathtt{x}⊲\varphi ⊳\mathtt{y}$ is the “if $\varphi$ then x else y” function with the condition written as the argument in the middle. When located under focus $\mathtt{f}$ the send and receive actions are renamed, the focus $\mathtt{f}$ being used as a port name for the process algebra notation, we obtain $♮(\mathtt{f}.\mathtt{H}(\mathtt{s}\left)\right)=$${\sum }_{\mathtt{m}\in \mathtt{J}}({\mathtt{r}}_{\mathtt{f}}\left(\mathtt{m}\right)·\left(\right({\mathtt{s}}_{\mathtt{f}}\left(\mathtt{true}\right)·♮\left(\mathtt{H}\right(\eta (\mathtt{m},\mathtt{s},\mathtt{true})\left)\right))⊲\theta (\mathtt{m},\mathtt{s})⊳({\mathtt{s}}_{\mathtt{f}}\left(\mathtt{false}\right)·♮\left(\mathtt{H}\right(\eta (\mathtt{m},\mathtt{s},\mathtt{false})\left)\right)\left)\right))$ A trivial manner in which the reply condition can be non-functional is to have it dependent of the focus by which the service is made accessible (using multiline notation for better readability and subscripts for the reply condition and effect function so that unambiguous reference to these from outside the architerm can be made).

$$\begin{array}{l}♮(\mathtt{f}.\mathtt{H}\left(\mathtt{s}\right))={\sum }_{\mathtt{m}\in \mathtt{J}}({\mathtt{r}}_{\mathtt{f}}\left(\mathtt{m}\right)·\\ \left(\right({\mathtt{s}}_{\mathtt{f}}\left(\mathtt{true}\right)·♮\left(\mathtt{H}\right({\eta }_{\mathtt{H}}(\mathtt{m},\mathtt{s},\mathtt{true})\left)\right))\\ ⊲{\theta }_{\mathtt{H}}(\mathtt{m},\mathtt{s})⊳\\ ({\mathtt{s}}_{\mathtt{f}}\left(\mathtt{false}\right)·♮\left(\mathtt{H}\right({\eta }_{\mathtt{H}}(\mathtt{m},\mathtt{s},\mathtt{false})\left)\right))\\ )\\ )\end{array}$$

Multiple services, ${\mathtt{H}}_{\mathtt{1}},\dots ,{\mathtt{H}}_{\mathtt{n}}$ accessible under pairwise different foci ${\mathtt{g}}_{\mathtt{1}},\dots ,{\mathtt{g}}_{\mathtt{n}}$ are combined into a single service using the service composition operator ⊕: ${\mathtt{g}}_{\mathtt{1}}.{\mathtt{H}}_{\mathtt{1}}\oplus \dots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{H}}_{\mathtt{n}}$. For the details of service composition, we refer to [4]. In terms of the process algebra, one finds $♮({\mathtt{g}}_{\mathtt{1}}.{\mathtt{H}}_{\mathtt{1}}\oplus \dots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{H}}_{\mathtt{n}})=♮({\mathtt{g}}_{\mathtt{1}}.{\mathtt{H}}_{\mathtt{1}})\left|\right|\dots \left|\right|♮({\mathtt{g}}_{\mathtt{n}}.{\mathtt{H}}_{\mathtt{n}})$, at least in case the ${\mathtt{g}}_{\mathtt{i}}$ are pairwise different. Thread algebra allows different representations in terms of process algebra. For instance, for some applications, an interpretation into a discrete time process algebra (see, for example, [11]) is preferable. Below, the thread algebra notation is used unless the additional detail of how a basic action is realised via a pair of atomic actions matters.

A thread $\mathtt{P}$ may be defined in different ways. First of all, threads can be defined, like processes in process algebra, by means of recursion equations or systems of recursion equations; for instance $\mathtt{P}=\mathtt{S}⊴\mathtt{f}.\mathtt{m}\mathtt{1}⊵(\mathtt{P}⊴\mathtt{g}.\mathtt{m}\mathtt{2}⊵\mathtt{D})$. Otherwise, comparable with the use of a transition system as a process definition in process algebra, a thread, say $\mathtt{P}$, can be defined by means of thread extraction from an instruction sequence, say $\mathtt{X}$: $\mathtt{P}=\left|\mathtt{X}\right|$. An expression of the form ${\partial }_{\mathtt{RS}}(\mathtt{P}•{\mathtt{g}}_{\mathtt{1}}.{\mathtt{H}}_{\mathtt{1}}\oplus \dots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{H}}_{\mathtt{n}})$ is referred to as an architerm, it describes a so-called execution architecture for $\mathtt{X}$, in the terminology of [12].

Process algebras contain behaviours as elements and provide composition operators for these. Many different process algebras have been designed, and process algebras can be tailor made for certain application areas. Conventionally, process algebras have been studied in the context of parallel processes so that parallel composition is the primary composition operator. In thread algebra, behaviours represent sequential systems, including deterministic systems that result from scheduled concurrent compositions of sequential systems (see [1,5]).

Instruction sequences, as well as threads, allow, as much as possible, the separation of data and control. For no datatype, not even for Booleans, the presence is taken for granted in the setting of program algebra. Only Boolean feedback from operations on data (i.e., method calls), which are located in services, is used to influence the progression of control.

1.1. Prospecting, Foresight and Lookahead Conditions

We will discuss prospecting in the context of thread algebra. Prospecting allows an agent participating in a system to survey (aspects of) the potential future behaviour of one or more other agents in the system. We model prospecting as a capability of a service. We use the term prospecting rather than the perhaps more appealing term lookahead in order to diminish the connotation of statistically sound inference from available data. Dealing with prospecting in a process algebra setting seems to be harder but may follow suit just as, for instance, strategic interleaving was first defined in the context of thread algebra in [1] and only thereafter in a setting of process algebra (see, for example, [13]).

Foresight constitutes the apparently successful ability of an agent in a system to take future options of behaviour of the entire system into account. We use the term foresight rather than forecasting, also in order to weaken the connotation of inference based on scientifically rigorous methods. Indeed prospecting, as meant below, may be achieved by way of magic, and forecasting may be based on unexplained or non-rigorous forecasting. Foresight is a phenomenon which concerns a system as a whole because it combines the intention of an agent in the system to take expectations or knowledge about the entire system (including the agent) into account as well as some assessment of the success of the agent in that respect.

Prospecting may allow successful foresight. One may think of an agent as a robot $\mathtt{R}$ the software of which is known to another agent $\mathtt{P}$ in the form of a compiled source program. Somehow $\mathtt{P}$ may be able to make useful predictions about the behaviour of $\mathtt{R}$ on the basis of that information. We will not look into this particular scenario, and it is mentioned only in order to indicate that it is not inconceivable that agent $\mathtt{P}$ uses intelligence to obtain meaningful information regarding the future behaviour of another component $\mathtt{R}$.

An example of prospect and foresight is as follows. With ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)$, we will denote the method interface of $\mathtt{H}$, and a detailed description of interfaces is given in Section 2.4. Let $\mathtt{m}\mathtt{1}\in {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{1}}\right)$ and $\mathtt{m}\mathtt{2}\in {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{2}}\right)$. Now consider the following architerm: $\mathtt{A}=$$(({\mathtt{g}}_{\mathtt{2}}.\mathtt{m}\mathtt{2}\circ \mathtt{S})⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}⊵\mathtt{S})⊴\mathtt{h}.\mathtt{find}⊵(\mathtt{S}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}⊵({\mathtt{g}}_{\mathtt{2}}.\mathtt{m}\mathtt{2}\circ \mathtt{S})))•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$.

The task is to design a service $\mathtt{H}$ with method interface ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)=\left\{\mathtt{find}\right\}$ which works in such a manner that in all circumstances, $\mathtt{A}=\mathtt{A}(\mathtt{H},{\mathtt{K}}_{\mathtt{1}},{\mathtt{K}}_{\mathtt{2}})$ will perform the basic action ${\mathtt{g}}_{\mathtt{2}}.\mathtt{m}\mathtt{2}$. Suppose that $\mathtt{H}$ is an ordinary service, say $\mathtt{H}\left({\mathtt{s}}_{\mathtt{0}}\right)$ with state space ${\mathtt{S}}_{\mathtt{H}}$ and ${\mathtt{s}}_{\mathtt{0}}\in {\mathtt{S}}_{\mathtt{H}}$, and with reply condition ${\theta }_{\mathtt{H}}(\mathtt{find},\mathtt{s})$ and effect function ${\eta }_{\mathtt{H}}(-,-,-)$. Now suppose ${\theta }_{\mathtt{H}}(\mathtt{find},{\mathtt{s}}_{\mathtt{0}})=\mathtt{true}$, then on the first call of a method (in this case $\mathtt{h}.\mathtt{find}$) a reply $\mathtt{true}$ is received so that the next state of the computation will be

$${\mathtt{A}}^{★}=(({\mathtt{g}}_{\mathtt{2}}.\mathtt{m}\mathtt{2}\circ \mathtt{S})⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}⊵\mathtt{S})•\mathtt{h}.\mathtt{H}({\eta }_{\mathtt{H}}({\mathtt{s}}_{\mathtt{0}},\mathtt{find},\mathtt{true}))\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$$

Now assume that service ${\mathtt{K}}_{\mathtt{1}}$ produces reply $\mathtt{false}$ on the first call of method $\mathtt{m}\mathtt{1}$. Then (writing ${\mathtt{t}}_{\mathtt{0}}$ for the initial state of ${\mathtt{K}}_{\mathtt{1}}$) the subsequent state is

$${\mathtt{A}}^{★★}=\mathtt{S}•\mathtt{h}.\mathtt{H}({\eta }_{\mathtt{H}}({\mathtt{s}}_{\mathtt{0}},\mathtt{find},\mathtt{true}))\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}({\eta }_{\mathtt{K}}({\mathtt{t}}_{\mathtt{0}},\mathtt{m}\mathtt{1},\mathtt{false}))\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$$

Clearly, ${\mathtt{A}}^{★★}$ will not perform basic action ${\mathtt{g}}_{\mathtt{2}}.\mathtt{m}\mathtt{2}$. A similar argument can be given if it is assumed that ${\theta }_{\mathtt{H}}(\mathtt{find},{\mathtt{s}}_{\mathtt{0}})=\mathtt{false}$. It follows that an ordinary service $\mathtt{H}$ cannot have the required property that always a call ${\mathtt{g}}_{\mathtt{2}}.\mathtt{m}\mathtt{2}$ will take place.

Next, with a leap of imagination, one may allow the reply condition ${\theta }_{\mathtt{H}}(\mathtt{find},{\mathtt{s}}_{\mathtt{0}})$ to include ${\mathtt{K}}_{\mathtt{1}}$ as an additional argument and to allow $\mathtt{H}$ to experiment with the (hypothetical) future behaviour of ${\mathtt{K}}_{\mathtt{1}}$. Now consider the following reply condition for $\mathtt{H}$: ${\widehat{\theta }}_{\mathtt{H}}(\mathtt{find},{\mathtt{s}}_{\mathtt{0}})\equiv [{\mathtt{K}}_{\mathtt{1}}\left(\mathtt{m}\mathtt{1}\right)=\mathtt{true}]$ (i.e., ${\theta }_{{\mathtt{K}}_{\mathtt{1}}}(\mathtt{m}\mathtt{1},{\mathtt{t}}_{\mathtt{0}})=\mathtt{true}$). This new condition is permitted to acquire prospective information about another service in the architerm $\mathtt{A}$. Let $\mathtt{H}({\widehat{\theta }}_{{}_{\mathtt{H}}})$ denote the service obtained from $\mathtt{H}$ by replacing the reply condition $\theta (\mathtt{find},{\mathtt{s}}_{\mathtt{0}})$ by $\widehat{\theta }(\mathtt{find},{\mathtt{s}}_{\mathtt{0}})$ then the execution architecture $\mathtt{A}\left(\mathtt{H}\right(\widehat{\theta }),{\mathtt{K}}_{\mathtt{1}},{\mathtt{K}}_{\mathtt{2}})$ has the required property.

We will say that $\widehat{\theta }$ is a lookahead condition which allows $\mathtt{H}(\widehat{\theta })$ to perform prospecting, a state of affairs which then explains the fact that in configurations of the form $\mathtt{A}\left(\mathtt{H}\right(\widehat{\theta }),{\mathtt{K}}_{\mathtt{1}},{\mathtt{K}}_{\mathtt{2}})$ a phenomenon of foresight can be observed. In this paper, we will demonstrate some examples of lookahead conditions that may serve as non-ordinary reply conditions. The design of a most general class of such conditions is non-trivial so it seems, and the following problem is left open.

Problem 1.

Is there a plausible definition of which conditions may occur as (non-ordinary) reply conditions, so that prospection can be “exploited” to its limits?

This question applies in particular to configurations where more than one service may use lookahead conditions.

1.2. Configurations and Intermediate Configurations

Configurations capture both initial stages and intermediate stages for computations in an obvious manner: step after step, the basic actions of the thread are performed and the states of various services are updated. Final states of such computations are mere service families from which the thread has become trivial: either $\mathtt{S}$ or $\mathtt{D}$.

The term configuration refers to a threads/service configuration. A typical (generic) configuration has the form $\mathtt{C}\equiv \mathtt{P}•{\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \dots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$. In the setting of thread algebra configurations compute by performing steps which correspond to (i) a method call being made, (ii) a reply being computed, and (iii) the (side) effect on the state of the service which is processing the call that is computed. Upon looking at the same run from the perspective of process algebra, additional precision can be obtained, and intermediate states and configurations appear. We will need some notation for intermediate configurations and components thereof.

For a thread $\mathtt{P}$, $‡\left(\mathtt{P}\right)$ will denote that same thread, though with its first atomic action (when present) missing. This idea can be made formal via the translation to processes: $♮(‡(\mathtt{P}\left)\right)$ is the unique process p such that for some atomic action $\mathtt{a}$ it is the case that $♮\left(\mathtt{P}\right)=\mathtt{a}.\mathtt{p}$ if such a decomposition of $\mathtt{P}$ atomic action exists and $♮\left(\mathtt{P}\right)=\delta$ (the inactive process in ACP) otherwise. In particular, one finds: $♮(‡(\mathtt{P}⊴\mathtt{f}.\mathtt{m}⊵\mathtt{Q}))={\mathtt{r}}_{\mathtt{f}}\left(\mathtt{true}\right)·♮\left(\mathtt{P}\right)+{\mathtt{r}}_{\mathtt{f}}\left(\mathtt{false}\right)·♮\left(\mathtt{Q}\right)$.

Moreover for two services ${\mathtt{H}}_{\mathtt{1}},{\mathtt{H}}_{\mathtt{2}}$ with the same method interface $\mathtt{J}$, let $\left[{\mathtt{H}}_{\mathtt{1}}\right]{⊲}_{\mathtt{f}}\theta {⊳}_{\mathtt{f}}\left[{\mathtt{H}}_{\mathtt{2}}\right]$ denote a service, present under focus $\mathtt{f}$, in the state just after having received a method call and going to reply $\mathtt{true}$, then moving on as ${\mathtt{H}}_{\mathtt{1}}$ if the reply condition $\theta$ turns out to be true and going to reply $\mathtt{false}$, while continuing as the service ${\mathtt{H}}_{\mathtt{2}}$ otherwise. Upon reading threads as process with ♮, one finds

$$♮(\left[{\mathtt{H}}_{\mathtt{1}}\right]{⊲}_{\mathtt{f}}\theta {⊳}_{\mathtt{f}}\left[{\mathtt{H}}_{\mathtt{2}}\right])=({\mathtt{s}}_{\mathtt{f}}\left(\mathtt{true}\right)·♮(\mathtt{f}.{\mathtt{H}}_{\mathtt{1}}))⊲\theta ⊳({\mathtt{s}}_{\mathtt{f}}\left(\mathtt{false}\right)·♮(\mathtt{f}.{\mathtt{H}}_{\mathtt{2}}))$$

Now consider the configuration $\mathtt{A}\equiv (\mathtt{P}⊴\mathtt{f}.\mathtt{m}⊵\mathtt{Q})•\mathtt{f}.\mathtt{H}\left(\mathtt{s}\right)\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \dots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$. As a process, $♮\left(\mathtt{A}\right)$ takes smaller steps (one atomic action at a time) than as a thread/service configuration (one basic action at a time). After performing one atomic action (sending $\mathtt{m}$ to $\mathtt{H}$ via port f), the following configuration ${\mathtt{A}}^{\prime }$ is obtained:

$$\begin{array}{l}{\mathtt{A}}^{\prime }\equiv ‡(\mathtt{P}⊴\mathtt{f}.\mathtt{m}⊵\mathtt{Q}))•\\ \mathtt{f}.\left(\right[{\mathtt{H}}_{\mathtt{1}}({\eta }_{{\mathtt{H}}_{\mathtt{1}}}(\mathtt{s},\mathtt{m},\mathtt{true})]{⊲}_{\mathtt{f}}\theta (\mathtt{s},\mathtt{m}){⊳}_{\mathtt{f}}\left[{\mathtt{H}}_{\mathtt{2}}\right({\eta }_{{\mathtt{H}}_{\mathtt{2}}}(\mathtt{s},\mathtt{m},\mathtt{false})\left]\right)\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \dots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\end{array}$$

.

The advantage of considering ${\mathtt{A}}^{\prime }$ is that it provides a precise picture of the situation in which a reply condition determines which reply is to be returned after a method call has been received and the corresponding reply has been computed by the service at hand, and how the service at hand will proceed. This picture allows an informal answer to Problem 1.

Definition 1 (Informal definition of lookahead conditions).

In the configuration ${\mathtt{A}}^{\prime }$, a lookahead condition $\theta (\mathtt{s},\mathtt{m})$ may depend on

(i) all focus and method names which play a role in ${\mathtt{A}}^{\prime }$,

(ii) the threads $\mathtt{P}$ and $\mathtt{Q}$, and

(iii) the services ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$.

What matters is that dependence on the services ${\mathtt{H}}_{\mathtt{1}}$ and ${\mathtt{H}}_{\mathtt{2}}$ is not permitted. The reason to be so cautious about ${\mathtt{H}}_{\mathtt{1}}$ and ${\mathtt{H}}_{\mathtt{2}}$ lies in the observation that it is more likely than not that the same lookahead condition $\theta (\mathtt{m},\mathtt{s})$ occurs in these services as well. That may happen, for instance, if ${\mathtt{H}}_{\mathtt{1}}$ and ${\mathtt{H}}_{\mathtt{2}}$ are chosen as both continuations of a single service $\mathtt{H}$ upon having received method call $\mathtt{f}.\mathtt{m}$ in state $\mathtt{s}$ and if after a number of steps, the same state is visited once more during the computation of ${\mathtt{A}}^{\prime }$. A complicated self-reference might result, which is now excluded, however.

In this manner, a reasonable upper bound to the notion of a lookahead condition in the context of ${\mathtt{A}}^{\prime }$ is obtained. A meaningful restriction, however, is that $\theta (\mathtt{s},\mathtt{m})$ is built up by logical connectives and quantifiers over primitive assertions, which can be understood as expressing outcomes of hypothetical experiments with configurations of the form

$${\mathtt{A}}^{\prime }\equiv ‡(\mathtt{P}⊴\mathtt{f}.\mathtt{m}⊵\mathtt{Q}))•\mathtt{f}.(\left[{\mathtt{L}}_{\mathtt{1}}\right]{⊲}_{\mathtt{f}}\theta (\mathtt{s},\mathtt{m}){⊳}_{\mathtt{f}}\left[{\mathtt{L}}_{\mathtt{2}}\right])\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \dots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$$

for various ordinary services ${\mathtt{L}}_{\mathtt{1}}$ and ${\mathtt{L}}_{\mathtt{2}}$ with the same method interface $\mathtt{J}$ as is required for ${\mathtt{H}}_{\mathtt{1}}$ and ${\mathtt{H}}_{\mathtt{2}}$ in the configuration ${\mathtt{A}}^{\prime }$.

Below, we will make use of the following notation: $\mathtt{P}•{\mathtt{f}}_{\mathtt{1}}.{\mathtt{H}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{f}}_{\mathtt{n}}.{\mathtt{H}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{f}}_{\mathtt{i}}.\mathtt{m})$ expresses that after zero or more intermediate steps (counting atomic actions as steps), the computation starting with the architerm $\mathtt{B}\equiv \mathtt{P}•{\mathtt{f}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{f}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ will perform a call ${\mathtt{f}}_{\mathtt{i}}.\mathtt{m}$ (or more precisely, $♮\left(\mathtt{B}\right)$ will perform an action ${\mathtt{c}}_{\mathtt{f}}\left(\mathtt{m}\right)$ which constitutes the synchronisation of a send action and a receive action with content $\mathtt{m}$ along port $\mathtt{f}$ (in ACP style process algebra terminology). Taking ${\mathtt{A}}^{\prime }$ for $\mathtt{B}$ the condition ${\mathtt{A}}^{\prime }\underline{\mathtt{sat}}\mathtt{CALL}(\mathtt{f}.\mathtt{m})$ is an example of an assertion which can be understood as expressing information concerning outcomes of experimentation with runs of ${\mathtt{A}}^{\prime }$ and, for that reason, as a lookahead condition.

1.3. Thread Algebra, an ACP Representable Domain Specific Process Algebra

An action $\mathtt{f}.\mathtt{m}$ in the context of program algebra and thread algebra is called a basic action. Seen from the viewpoint of process algebras, basic actions are not atomic actions. Instead, a basic action can be explained in terms of synchronous communication of atomic actions. As was outlined above, thread algebra, services, and service composition can be interpreted in process algebra, and in fact, different such interpretations exist. We prefer to understand this kind of interpretation as a representation. The process algebra provides a well-known semantic standard based on bisimulation semantics, while the thread algebra is to some extent a matter of ad hoc design. By thinking in terms of representations of thread algebra in process algebra, the conceptual primacy of process algebra is emphasised. Upon adopting a specific representation, e.g., as indicated above, the use of thread algebra instead of the underlying process algebra becomes merely a matter of convenience. Thread algebra does not come with the ambition to acquire any new semantic insights or principles for concepts, such as sequential composition, concurrent composition, atomicity of actions, abstraction from internal (silent) steps, and the proper definition and use of infinite state systems. Thread algebra is a domain-specific process algebra that features two kinds/classes of domain-specific processes: threads and service families. Thread algebra offers several domain-specific combinators on these domain-specific classes of processes (apply, use, and reply), each of which are instances of reactive concurrent composition when understood from the perspective of process algebra. Thread algebra is ACP representable in the sense that there is a preferred representation (♮) of thread algebra into ACP-style process algebra.

Thread algebra is one of several domain-specific process algebras that have been developed on the basis of representation in ACP. Process algebra based on asynchronous communication constitutes a domain-specific process algebra which may be further specialised for use with dataflow networks. Alternatively, systolic arrays may be modelled with a highly concurrent version of ACP. The notation $\mu$CRL [14] and its successor mCRL2 [15] may be understood as domain-specific process algebras which exploit data as parameters of processes rather than to have as separate semantic entities wrapped in a dedicated process, or as parameters of an additional operator (viz. the state operator of [16]).

For threads and services, the notion of an interface is vital. Interface calculus is a “sister” of the alpha–beta calculus for ACP in [17]. As it turns out, due to the built-in symmetries in ACP, the idea of an interface boils down to a set of actions, which is relatively simple compared with the notion of an interface, as it is needed for the setup of thread algebra.

Thread algebra involves threads and services, representing two types of agents with threads having a focus on control, and services a focus on data. Thread algebra is more specific for sequential, deterministic, and reactive systems and, therefore, less general than process algebra, which is meant to capture arbitrary concurrent systems.

Different forms of process algebra come into play for different themes. In this paper, we will look at prospecting, both phenomena which one may at least hypothetically ascribe to the behaviour of an agent, and foresight, a capability which, again hypothetically, may be ascribed to the participation of an agent in a system.

For software engineering, the idea of prospecting is rather uncommon, though very common in processor pipelines. Prospecting is usually expected of rational agents. Prospecting and foresight play a role already in sequential systems, and for that reason, the investigation of these topics may well start with thread algebra rather than in process algebra.

Process algebra is a tool for analysing the options for mutual communication and understanding in a multi-agent network. Such networks are thematic for AI. Thread algebra, and an underlying program algebra, provide specialised algebraic approaches for dealing with sequential subsystems of such networks.

Prospecting services were studied in [12] (then named forecasting services) and in [4], where it was shown that such services cannot correctly forecast halting when giving replies in a two-valued logic only. In [4], different forms of the halting problem are formalised in the context of thread algebra. Apparently, thread algebra is better suited for analysing such applications, where control and data are to be treated on equal footing than process algebras, where control is the dominant feature and data are an “add on” feature to some extent.

1.4. Process Algebra, Thread Algebra, and AI

Process algebra can help to analyse the boundaries of what can be computed. What Turing machines do for computability, allowing techniques for analysing what can and what cannot be done, can be repeated and adapted in a plurality of models of concurrency when it comes to analysing the notion of algorithmic impossibility for interacting agents. Process algebra, as an approach with a plurality of instances, each of which serves as a model for concurrency, allows some uniformity for the analysis of such models. Analysing what cannot be done in qualitative terms is of relevance for AI as much (or even more) as it has been for computer science.

When it comes to proving the impossibility of computational phenomena, arguments often depend on diagonalisation. At face value, the liar paradox and the Russel paradox on the one hand and undecidability of the halting problem and the incompleteness of the axioms of Peano arithmetic (following Gödel) are similar phenomena. However, there is a difference: the liar paradox and the Russel paradox show that certain combinations of features are clearly inconsistent. These are paradoxes. The unsolvability of the Halting problem and the incompleteness of Peano arithmetic show that certain problems are just too complex to be solved by certain limited means, and these express unfeasibility rather than a paradox. Admittedly, this discrepancy is gradual; provability logics in arithmetic bridge this kind of gap, and in [4], it was analysed how Turing incompleteness can take the form of a paradox-like manifest incompatibility when working in a setting of program algebra and thread algebra.

The famous observation by Cohen dating back to 1984 [18] (see also [19,20]) that an agent cannot decide whether or not its behaviour will be harmful, brings to the surface a disparity of the first kind: a certain combination of features, including a form of forecasting is paradoxical, i.e., leads to a manifest contradiction, while at closer inspection, a somewhat different casting of the same theme brings it closer to the halting problem and Gödel incompleteness. What is tried cannot be achieved in full generality because it is too difficult, not because it is a paradoxical (self-contradictory) idea as such.

In this article, we elaborate on these matters with the following general question in mind.

Problem 2.

Where are the boundaries and what are the options concerning self-reflection about the future of a computation, the self-reflection being understood as a part of the same computation?

In light of the objectives of this special issue, it matters contemplating how and why this particular problem might matter for AI.

• Contemplating the Cohen impossibility result, several follow-up questions arise. To begin with, one may ask how the software engineering life-cycle for certain safety critical components would change (would have changed) if the result would have been the opposite to what it has been. How would the tests (which, after all, do not exist) would be used in practice.
  The software engineering life-cycle is a computational model where computed phases and human actions take place in an interleaved manner. However, as a result of progress in AI, increasingly, many of the human steps are becoming incorporated in the computed phases. The question arises if the availability of the program/machine that Cohen showed not to exist would, hypothetically, show up in systems design for automated programming. Apparently, an attempt to incorporate a component which is blessed with successful foresight about whether or not another component is viral (assuming a particular definition of that) into a larger system induces a change of the requirements on said component. As a consequence of that change, instead of being paradoxical, it becomes merely unfeasible (as in the case of the halting problem) to determine virality.
  Unfeasible problems may have useful automated approximations, however, which then could be used for imperfect but still practical automated improvements of an ordinary software engineering life-cycle. By working with approximations of software components that provably do not exist, hypothetical foresight may be transformed into plausible forecasting.
• The Cohen impossibility may be considered, like the halting problem, to constitute merely a conceptual matter. However, one may consider the notion of a program fault. The formidable literature on program faults provides some principled approaches, e.g., in [21,22], where the idea is that a fault must have two properties, it can be the cause of a failure during a run and it allows a (preferably provable, otherwise at least evidence based) improvement such that said cause is removed. For a survey of approaches to the notion of a program fault, we refer to [23]. Faults may be understood as options for forecasting certain failures, and in a fully automated software engineering life-cycle, one can imagine tools for dealing with, i.e., profiting from, such forms of foresight.
• Another link between AI and forecasting arises when contemplating robot morality. Without assuming any form of lookahead, it is hardly possible to imagine any moral judgement regarding the control software for a military robot. For some reflection on this matter, we refer to [24].
• Another area where lookahead plays a role is garbage collection, where, given a pool of linked objects which is used for the processing of a single instruction sequence only, the notion of garbage may be made dependant on the future behaviour of said instruction sequence. This idea gives rise to the notion of shedding (see [25]), which involves run-time foresight by a thread about its own future behaviour. Comparable to the case of virus detection, it takes care to avoid self-contradictory requirements, and indeed AI methods for automated self-reflection might become useful for garbage collection.

1.5. Survey of the Paper

Thread algebra is introduced as a domain-specific process algebra. In particular, thread algebra is ACP representable. The use of process algebra facilitates the introduction of so-called intermediate states, which proves very helpful for introducing the informal notion of a lookahead condition (in Definition 1). Two more informal notions, prospecting service and foresight pattern, are introduced. The relevance of non-paradoxical foresight patterns is motivated.

A fairly complete account is presented of interfaces in the context of thread algebra. That is done both in intuitive and semantic terms and by way of an axiomatisation which is informative, though lacking known formal properties.

The new results are as follows: Proposition 3 demonstrates a case where foresight cannot be realised, while this is not entirely obvious. Proposition 5 introduces a new foresight mechanism, which indicates that the Cohen impossibility result is shown in a context where the sought forecasting pattern is not paradoxical. Theorem 2 indicates that for the same requirements, paradoxical circumstances arise in the presence of a second service with prospecting capability. The basic action foresight pattern is introduced, and in Proposition 4, a prospecting service is obtained which can implement this pattern.

2. Threads, Services, and Architerms

At risk of repeating some elements that were covered in the introduction, we will proceed with some additional remarks on threads, services and service families. We will use without further reference the elements of program algebra, thread algebra, and instruction sequence theory which are surveyed in [3,26], and which have been set out in detail in the papers referenced therein. In these papers, the focus method notation $\mathtt{f}.\mathtt{m}$ provides a basic instruction, where the focus $\mathtt{f}$ represents the name of (a link to) a service and $\mathtt{m}$ names a method to be applied to (as seen from an instruction sequence) and processed by (as seen from the service) the service, under the assumption that (i) the service will send a Boolean reply back to the instruction sequence which made the method call $\mathtt{f}.\mathtt{m}$ in such a manner that the continuation of the computation as prescribed by the instruction sequence may (but need not) depend on the reply value, (ii) as a consequence of processing the method $\mathtt{m}$, the service may update its state, and (iii) in between the processing of subsequent method calls, say $\mathtt{f}.\mathtt{m}\mathtt{1}$ and $\mathtt{f}.\mathtt{m}\mathtt{2}$, the service may interact with external components working as an independent process, concurrently with other services. The architerm, also termed configuration, which will mostly be used below, is thus:

$${\partial }_{\mathtt{U}}(\mathtt{P}•{\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})$$

with $\mathtt{P}$ a thread and ${\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$, a service family which offers access to service ${\mathtt{K}}_{\mathtt{i}}$ under focus ${\mathtt{g}}_{\mathtt{i}}$ for $\mathtt{1}\le \mathtt{i}\le \mathtt{n}$, and with $\mathtt{U}\subseteq \{{\mathtt{g}}_{\mathtt{1}},\dots ,{\mathtt{g}}_{\mathtt{n}}\}$. More often than not, the encapsulation operator will be omitted from an architerm.

The service combination operator $\_\oplus \_$ is assumed to be commutative and associative so that the ordering of the services in an expression for an execution architecture does not matter. ${\partial }_{\mathtt{U}}(-)$ performs restriction to the services with a focus outside $\mathtt{U}$. The representation of restriction in ACP-style process algebra satisfies $♮\left({\partial }_{\mathtt{U}}(\mathtt{P}•{\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})\right)={\partial }_{\mathtt{RS}\left(\mathtt{U}\right)}(♮(\mathtt{P}•{\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}))$ with $\mathtt{RS}\left(\mathtt{U}\right)$ containing the communication actions along port $\mathtt{f}$, that is

$$\mathtt{RS}\left(\mathtt{U}\right)=\{{\mathtt{c}}_{\mathtt{f}}\left(\mathtt{m}\right),{\mathtt{c}}_{\mathtt{f}}\left(\mathtt{b}\right)\mid \mathtt{f}\in \{{\mathtt{g}}_{\mathtt{1}},\dots ,{\mathtt{g}}_{\mathtt{n}}\},\mathtt{m}\in {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{H}}_{\mathtt{i}}\right),\mathtt{b}\in \{\mathtt{true},\mathtt{false}\}\}$$

Here ${\mathtt{c}}_{\mathtt{f}}\left(\mathtt{m}\right)={\mathtt{s}}_{\mathtt{f}}\left(\mathtt{m}\right)|{\mathtt{r}}_{\mathtt{f}}\left(\mathtt{m}\right)$ and ${\mathtt{c}}_{\mathtt{f}}\left(\mathtt{b}\right)={\mathtt{s}}_{\mathtt{f}}\left(\mathtt{b}\right)|{\mathtt{r}}_{\mathtt{f}}\left(\mathtt{b}\right)$ with $-|-$, the communication function of ACP. Services with a focus in $\mathtt{U}$ may be used as containers for inputs or as containers for auxiliary data only of use during a computation. All outputs are located as states in services with a focus outside $\mathtt{U}$. For this particular notion of an execution architecture for instruction sequences and for threads, we refer to [12] and to the further development thereof in [4]. Below, we will use architerm as an abbreviation of execution architecture.

The equality of architerms is denoted with ≡. Architerm equality is a somewhat informal motion because it depends on the context as to how much abstraction comes with ≡. Writing $\mathtt{A}\equiv {\partial }_{\mathtt{U}}(\mathtt{P}•{\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})$, it is confirmed that $\mathtt{A}$ denotes an architerm involving restriction (removal of auxiliary services from the result by ${\partial }_{\mathtt{U}}(-)$), a thread $\mathtt{P}$, which is applied to (processing determined by •) $\mathtt{n}$ services which are accessible via foci ${\mathtt{g}}_{\mathtt{1}},\dots ,{\mathtt{g}}_{\mathtt{n}}$, respectively. No further structural information is given (via $\mathtt{A}$) regarding $\mathtt{P}$ and the respective services. We will always assume that the ${\mathtt{g}}_{\mathtt{i}}$ are pairwise different. With $\mathtt{U}=\{{\mathtt{g}}_{{\mathtt{j}}_{\mathtt{1}}},\dots ,{\mathtt{g}}_{{\mathtt{j}}_{\mathtt{k}}}\}$, the service family ${\mathtt{g}}_{{\mathtt{j}}_{\mathtt{1}}}.{\mathtt{K}}_{{\mathtt{j}}_{\mathtt{1}}}\oplus \cdots \oplus {\mathtt{g}}_{{\mathtt{j}}_{\mathtt{l}}}.{\mathtt{K}}_{{\mathtt{j}}_{\mathtt{k}}}$ contains the services with either a pure input status or an auxiliary status (or a combination of both) for the architerm $\mathtt{A}$. With $\mathtt{B}\equiv |+\mathtt{f}.\mathtt{m}\mathtt{1};\#\mathtt{3};-\mathtt{g}.\mathtt{m}\mathtt{2};\mathtt{f}.\mathtt{m}\mathtt{3};\mathtt{X};!|•\mathtt{f}.\mathtt{K}\oplus \mathtt{g}.\mathtt{L}$, it is required that a thread is applied which is obtained via thread extraction from an instruction sequence beginning with $+\mathtt{f}.\mathtt{m}\mathtt{1};\#\mathtt{3};-\mathtt{g}.\mathtt{m}\mathtt{2};\mathtt{f}.\mathtt{m}\mathtt{3}$ and ending with !. The idea is then that said instruction sequence ($+\mathtt{f}.\mathtt{m}\mathtt{1};\#\mathtt{3};-\mathtt{g}.\mathtt{m}\mathtt{2};\mathtt{f}.\mathtt{m}\mathtt{3}$) constitutes a part of the architerm. By substitution for variables, the architerms can be refined.

2.1. Reply Function Services

Each service $\mathtt{H}$ comes with (i) an input alphabet $\mathtt{J}={\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)$ and (ii) a reply function $\alpha :{\mathtt{J}}^{+}\to \{\mathtt{true},\mathtt{false}\}$. When a method call $\mathtt{m}\in \mathtt{J}$ takes place, the reply is $\alpha \left(\mathtt{m}\right)$ and the new reply function is $\lambda \mathtt{u}\in {\mathtt{J}}^{+}\alpha \left(\mathtt{m}\mathtt{u}\right)$. A reply-only service has implicit states, and the reply function serves as its state.

We write $\mathtt{RFS}(\mathtt{J},\alpha )$ for the service with method interface ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{RFS}\right(\mathtt{J},\alpha \left)\right)=\mathtt{J}$ and reply function $\alpha :{\mathtt{J}}^{+}\to \{\mathtt{true},\mathtt{false}\}$. When available under focus $\mathtt{f}$, the (single-service) service family $\mathtt{f}.\mathtt{RFS}(\mathtt{J},\alpha )$ has provided interface ${\mathtt{I}}_{\mathtt{provided}}(\mathtt{f}.\mathtt{RFS}(\mathtt{J},\alpha \left)\right)=\{\mathtt{f}.\mathtt{m}\mid \mathtt{m}\in \mathtt{J}\}$. $\mathtt{f}.\mathtt{RFS}(\mathtt{J},\alpha )$ will process method call $\mathtt{f}.\mathtt{m}$ by asking $\mathtt{RFS}(\alpha ,\mathtt{J})$ to process the call $\mathtt{m}$.

2.2. Stateful Services

A service may also have an explicit state space. Then, $\mathtt{H}$ comes with a state space $\mathtt{S}$ containing an initial state ${\mathtt{s}}_{\mathtt{0}}$ and a reply condition function $\theta :\mathtt{S}\times \mathtt{J}\to \{\mathtt{true},\mathtt{false}\}$ and an effect function $\eta :S\times J\times \{true,false\}\to S$. Upon method call $\mathtt{m}\in \mathtt{J}$ and when in state $\mathtt{s}$, the condition $\theta (\mathtt{s},\mathtt{m})$ is evaluated. Let $\mathtt{b}\in \{\mathtt{true},\mathtt{false}\}$ be the result of evaluating $\theta (\mathtt{s},\mathtt{m})$, then $\mathtt{b}$ is returned to the calling thread as a reply, and the next state is $\eta (\mathtt{s},\mathtt{m},\mathtt{b})$.

Such services are called stateful. We write $\mathtt{SFS}(\mathtt{J},\mathtt{S},{\mathtt{s}}_{\mathtt{0}},\theta ,\eta )$ (for stateful service) for the service with method interface $\mathtt{J}$, state space $\mathtt{S}$, with initial state ${\mathtt{s}}_{\mathtt{0}}\in \mathtt{S}$ reply condition function $\theta$, and effect function $\eta$.

The architectural primitive $-•-$ indicates that thread $\mathtt{P}$ is run in the context of the service family ${\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\left({\mathtt{s}}_{\mathtt{1}}\right)\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}\left({\mathtt{s}}_{\mathtt{n}}\right)$, with ${\mathtt{s}}_{\mathtt{i}}$, assuming encapsulation ${\partial }_{\mathtt{U}}$ with $\mathtt{U}=\{{\mathtt{g}}_{{\mathtt{i}}_{\mathtt{1}}},\dots ,{\mathtt{g}}_{{\mathtt{i}}_{\mathtt{k}}}\}$, a state of ${\mathtt{K}}_{\mathtt{i}}$, with as an output, in case of termination, a service family ${\mathtt{g}}_{{\mathtt{i}}_{\mathtt{1}}}.{\mathtt{K}}_{{\mathtt{i}}_{\mathtt{1}}}\left({\mathtt{s}}_{{\mathtt{i}}_{\mathtt{1}}}^{\prime }\right)\oplus \cdots \oplus {\mathtt{g}}_{{\mathtt{i}}_{\mathtt{k}}}.{\mathtt{K}}_{\mathtt{m}}\left({\mathtt{s}}_{{\mathtt{i}}_{\mathtt{k}}}^{\prime }\right)$. In case of non-termination as well as in the case of divergence after a number of method calls have been processed, the result is ${\mathtt{g}}_{{\mathtt{i}}_{\mathtt{1}}}.{\mathtt{0}}_{\mathsf{service}}\oplus \cdots \oplus {\mathtt{g}}_{{\mathtt{i}}_{\mathtt{k}}}.{\mathtt{0}}_{\mathsf{service}}$, where ${\mathtt{0}}_{\mathsf{service}}$ is the unique service which accepts no methods.

2.3. Threads and Thread Extraction

A thread $\mathtt{P}$ is either $\mathtt{S}$ (stop, termination), or $\mathtt{D}$ or ${\mathtt{P}}_{\mathtt{1}}⊴\mathtt{g}.\mathtt{m}⊵{\mathtt{P}}_{\mathtt{2}}$ for some method call (basic action ) $\mathtt{g}.\mathtt{m}$ and some threads ${\mathtt{P}}_{\mathtt{1}}$ and ${\mathtt{P}}_{\mathtt{2}}$. $\mathtt{P}⊴\mathtt{f}.\mathtt{m}⊵\mathtt{P}$ can be abbreviated to $\mathtt{f}.\mathtt{m}\circ \mathtt{P}$.

Instruction sequences and threads are connected via the thread extraction operator $\left|\mathtt{P}\right|$, for instance: $|\mathtt{f}.\mathtt{m};\mathtt{g}.\mathtt{m}\mathtt{1};\mathtt{h}.\mathtt{m}\mathtt{2};!|=\mathtt{f}.\mathtt{m}\circ \mathtt{g}.\mathtt{m}\mathtt{1}\circ \mathtt{h}.\mathtt{m}\mathtt{2}\circ \mathtt{S}$, $|+\mathtt{f}.\mathtt{m};\#\mathtt{2};\mathtt{g}.\mathtt{m}\mathtt{1};\mathtt{h}.\mathtt{m}\mathtt{2};!|=(\mathtt{h}.\mathtt{m}\mathtt{2}\circ \mathtt{S})⊴\mathtt{f}.\mathtt{m}⊵(\mathtt{g}.\mathtt{m}\mathtt{1}\circ \mathtt{h}.\mathtt{m}\mathtt{2}\circ \mathtt{S})$, and $|\mathtt{f}.\mathtt{m};+\mathtt{g}.\mathtt{m}\mathtt{1};!;-\mathtt{h}.\mathtt{m}\mathtt{2};\#\mathtt{0};!|=\mathtt{f}.\mathtt{m}\circ (\mathtt{S}⊴\mathtt{g}.\mathtt{m}\mathtt{1}⊵(\mathtt{S}⊴\mathtt{h}.\mathtt{m}\mathtt{2}⊵\mathtt{D}\left)\right)$, where $\mathtt{g}.\mathtt{m}\circ \mathtt{P}=\mathtt{P}⊴\mathtt{g}.\mathtt{m}⊵\mathtt{P}$.

For the construction of an apply architerm, it is required that the interfaces of the thread and service family match, i.e., that every method call can be processed by one of the services. Expressing these requirements rests on a notion of interface, which we will discuss in some detail.

2.4. Interfaces: Required Interfaces and Provided Interfaces

Interfaces serve as abstractions of components which are made in order to facilitate reasoning about the design and composition of components. Consider the instruction sequence, $\mathtt{X}\equiv +\mathtt{f}.\mathtt{m}\mathtt{1};\mathtt{g}.\mathtt{m}\mathtt{2};!$. The processing of $\mathtt{X}$ works as follows: (i) apply method $\mathtt{m}\mathtt{1}$ to the service accessible with focus $\mathtt{f}$; (ii) if the reply $\mathtt{false}$ is returned, skip the second method call and terminate; and (iii) if instead $\mathtt{true}$ is replied, perform the method call $\mathtt{g}.\mathtt{m}\mathtt{2}$ and then terminate, irrespective of the reply which has been returned. $\mathtt{X}$ requires of an execution environment that it provides a service accessible under focus $\mathtt{f}$ which is able to process a method named $\mathtt{m}\mathtt{1}$ and another service accessible under focus $\mathtt{g}$ which will process a method named $\mathtt{m}\mathtt{2}$. This information can be combined in the interface $\mathtt{J}=\{\mathtt{f}.\mathtt{m}\mathtt{1},\mathtt{g}.\mathtt{m}\mathtt{2}\}$. The interface $\mathtt{J}$ is a required interface, it conveys what an environment must provide for $\mathtt{X}$ to be properly effectuated. Now consider $\mathtt{Y}=!;+\mathtt{f}.\mathtt{m}\mathtt{1};\mathtt{g}.\mathtt{m}\mathtt{2};!$. $\mathtt{Y}$ will terminate at once and make no method calls. It is plausible to say that its required interface is empty. If, however, a jump from outside is allowed and a run may not start with the first instruction (e.g., in $\mathtt{Z}\equiv \#\mathtt{3};\mathtt{Y}$), then it is not plausible to think of $\mathtt{Y}$ as having an empty interface. With ${\mathtt{I}}_{\mathsf{required}}\left(\mathtt{P}\right)$, we will denote the required interface of an instruction sequence $\mathtt{P}$, which contains a mere collection of all basic actions ($\mathtt{f}.\mathtt{m}$), which occur in $\mathtt{X}$ (either as a void basic instruction $\mathtt{f}.\mathtt{m}$, as a positive test instruction $+\mathtt{f}.\mathtt{m}$ or as a negative test instruction $-\mathtt{f}.\mathtt{m}$). Thus, with $\mathtt{Y}$ as above, ${\mathtt{I}}_{\mathsf{required}}\left(\mathtt{X}\right)={\mathtt{I}}_{\mathsf{required}}\left(\mathtt{Y}\right)=\{\mathtt{f}.\mathtt{m}\mathtt{1},\mathtt{g}.\mathtt{m}\mathtt{2}\}$.

Given the task to design an instruction sequence, say $\mathtt{X}$, which computes some given function or otherwise performs some specified task, there may be constraints (requirements on) on the required interface of $\mathtt{X}$ for instance one may wish that ${\mathtt{I}}_{\mathsf{required}}\left(\mathtt{X}\right)\subseteq \mathtt{J}$ for some interface $\mathtt{J}$. For the programming task at hand, $\mathtt{J}$ is an access-constraining interface. Access-constraining interfaces play a key role in complexity questions about instruction sequences when looking for the shortest, or otherwise best, instruction sequence in some format (say PGLB of [2]) that achieves a certain given task.

Complementarily to the required interface of an instruction sequence, one may consider the method interface ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)$ of a service, say $\mathtt{H}$, e.g., $\{\mathtt{m}\mathtt{1},\mathtt{m}\mathtt{2},\mathtt{m}\mathtt{3}\}$. A method interface of a service is a provided interface. If a service family $\mathtt{H}$ offers only $\mathtt{S}$ accessible under focus $\mathtt{f}$, then the provided interface of $\mathtt{H}$ is ${\mathtt{I}}_{\mathtt{provided}}\left(\mathtt{H}\right)=\{\mathtt{f}.\mathtt{m}\mathtt{1},\mathtt{f}.\mathtt{m}\mathtt{2},\mathtt{f}.\mathtt{m}\mathtt{3}\}$. If one has the task to design a service family, say $\mathtt{L}$, then it may be required that a certain interface $\mathtt{J}$ is provided by $\mathtt{L}$: ${\mathtt{I}}_{\mathtt{provided}}\left(\mathtt{L}\right)\supseteq \mathtt{J}$.

2.5. Some Naming Conventions; Equations for Interfaces

The paper involves a range of different types of entities, and we will follow some informal, and non-strict rules for the naming of variables for these types. We will use $\mathtt{X},\mathtt{Y},\mathtt{Z}$ for instruction sequences, $\mathtt{P},\mathtt{Q},\mathtt{R}$ for threads, $\mathtt{I},\mathtt{J}$ for interfaces, $\mathtt{H},\mathtt{K},\mathtt{L}$ for services, $\mathtt{S},\mathtt{T}$ for state spaces of (stateful) services with $\mathtt{s},\mathtt{t}$ for states in the state space of stateful services, and $\mathtt{V},\mathtt{W}$ for service families. Methods often are given names involving $\mathtt{m}$ or $\mathtt{n}$, and foci often have names involving $\mathtt{f}$, $\mathtt{g}$, or $\mathtt{h}$.

Using these conventions, some equations that loosely specify the various types of and operations about interfaces are given in

Table 1. Equations for provided interfaces.

$$\begin{array}{}\left(1\right)& \hfill \mathtt{x}\cup {\varnothing }_{\mathsf{interface}}& =& \mathtt{x}\hfill \left(2\right)& \hfill \mathtt{x}\cup \mathtt{y}& =& \mathtt{y}\cup \mathtt{x}\hfill \left(3\right)& \hfill \mathtt{x}\cup (\mathtt{y}\cup \mathtt{z})& =& (\mathtt{x}\cup \mathtt{y})\cup \mathtt{z}\hfill \left(4\right)& \hfill \mathtt{x}\cup \mathtt{x}& =& \mathtt{x}\hfill \left(5\right)& \hfill \mathtt{f}.\left\{\mathtt{m}\right\}& =& \{\mathtt{f}.\mathtt{m}\}\hfill \left(6\right)& \hfill \mathtt{f}.{\varnothing }_{\mathsf{method}-\mathsf{interface}}& =& {\varnothing }_{\mathsf{interface}}\hfill \left(7\right)& \hfill \mathtt{f}.(\mathtt{h}\cup \mathtt{u})& =& \mathtt{f}.\mathtt{h}\cup \mathtt{f}.\mathtt{u}\hfill \left(8\right)& \hfill \mathtt{H}\oplus {\mathtt{0}}_{\mathsf{service}-\mathsf{family}}& =& \mathtt{H}\hfill \left(9\right)& \hfill \mathtt{H}\oplus \mathtt{L}& =& \mathtt{L}\oplus \mathtt{H}\hfill \left(10\right)& \hfill \mathtt{H}\oplus (\mathtt{K}\oplus \mathtt{L})& =& (\mathtt{H}\oplus \mathtt{K})\oplus \mathtt{L}\hfill \left(11\right)& \hfill {\partial }_{{\varnothing }_{\mathsf{focus}-\mathsf{collection}}}\left(\mathtt{H}\right)& =& \mathtt{H}\hfill \left(12\right)& \hfill {\partial }_{\mathtt{U}}\left({\mathtt{0}}_{\mathsf{service}-\mathsf{family}}\right)& =& {\mathtt{0}}_{\mathsf{service}-\mathsf{family}}\hfill \left(13\right)& \hfill {\partial }_{\left\{\mathtt{f}\right\}}(\mathtt{f}.\mathtt{R})& =& {\mathtt{0}}_{\mathsf{service}-\mathsf{family}}\hfill \left(14\right)& \hfill \mathtt{f}\ne \mathtt{g}\to {\partial }_{\left\{\mathtt{f}\right\}}(\mathtt{g}.\mathtt{R})& =& \mathtt{g}.\mathtt{R}\hfill \left(15\right)& \hfill {\partial }_{\left\{\mathtt{f}\right\}}(\mathtt{H}\oplus \mathtt{K})& =& {\partial }_{\left\{\mathtt{f}\right\}}\left(\mathtt{H}\right)\oplus {\partial }_{\left\{\mathtt{f}\right\}}\left(\mathtt{K}\right)\hfill \left(16\right)& \hfill {\partial }_{\mathtt{U}\cup \mathtt{V}}\left(\mathtt{H}\right)& =& {\partial }_{\mathtt{U}}\circ {\partial }_{\mathtt{V}}\left(\mathtt{H}\right)\hfill \left(17\right)& \hfill \mathtt{f}.\mathtt{H}\oplus \mathtt{f}.\mathtt{K}& =& \mathtt{f}.{\mathtt{0}}_{\mathsf{service}}\hfill \left(18\right)& \hfill {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{0}}_{\mathsf{service}}\right)& =& {\varnothing }_{\mathsf{method}-\mathsf{interface}}\hfill \left(19\right)& \hfill {\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)& =& \{\mathtt{m}\mid \mathtt{m}\mathtt{is}\mathtt{a}\mathtt{method}\mathtt{of}\mathtt{H}\}\hfill \left(20\right)& \hfill {\mathtt{I}}_{\mathtt{provided}}\left({\mathtt{0}}_{\mathsf{service}-\mathsf{family}}\right)& =& {\varnothing }_{\mathsf{interface}}\hfill \left(21\right)& \hfill {\mathtt{I}}_{\mathtt{provided}}(\mathtt{f}.\mathtt{H})& =& \mathtt{f}.{\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)\hfill \left(22\right)& \hfill {\mathtt{I}}_{\mathtt{provided}}\left(\mathtt{f}.\mathtt{H}\oplus {\partial }_{\left\{\mathtt{f}\right\}}\left(\mathtt{K}\right)\right)& =& {\mathtt{I}}_{\mathtt{provided}}\left(\mathtt{f}.\mathtt{H}\right)\cup {\mathtt{I}}_{\mathtt{provided}}\left({\partial }_{\left\{\mathtt{f}\right\}}\left(\mathtt{K}\right)\right)\hfill \left(23\right)& \hfill {\mathtt{I}}_{\mathsf{focus}-\mathsf{collection}}\left({\mathtt{0}}_{\mathsf{service}-\mathsf{family}}\right)& =& {\varnothing }_{\mathsf{focus}-\mathsf{collection}}\hfill \left(24\right)& \hfill {\mathtt{I}}_{\mathsf{focus}-\mathsf{collection}}(\mathtt{f}.\mathtt{H})& =& \left\{\mathtt{f}\right\}\hfill \left(25\right)& \hfill {\mathtt{I}}_{\mathsf{focus}-\mathsf{collection}}(\mathtt{V}\oplus \mathtt{W})& =& {\mathtt{I}}_{\mathsf{focus}-\mathsf{collection}}\left(\mathtt{V}\right)\cup {\mathtt{I}}_{\mathsf{focus}-\mathsf{collection}}\left(\mathtt{W}\right)\hfill \\ \left(26\right)& \hfill \mathtt{x}\subseteq \mathtt{y}⟺\mathtt{x}\cup \mathtt{y}& =& y\hfill \end{array}$$

and

Table 2. Equations for the required interfaces of threads and instruction sequences.

$$\begin{array}{}\left(27\right)& \hfill {\mathtt{I}}_{\mathsf{required}}\left(\mathtt{S}\right)& =& {\varnothing }_{\mathsf{interface}}\hfill \left(28\right)& \hfill {\mathtt{I}}_{\mathsf{required}}\left(\mathtt{D}\right)& =& {\varnothing }_{\mathsf{interface}}\hfill \left(29\right)& \hfill {\mathtt{I}}_{\mathsf{required}}(\mathtt{P}⊴\mathtt{f}.\mathtt{m}⊵\mathtt{Q})& =& {\mathtt{I}}_{\mathsf{required}}\left(\mathtt{P}\right)\cup \left\{\mathtt{f}.\mathtt{m}\right\}\cup {\mathtt{I}}_{\mathsf{required}}\left(\mathtt{Q}\right)\hfill \\ \left(30\right)& \hfill {\mathtt{I}}_{\mathsf{required}}(!)& =& {\varnothing }_{\mathsf{interface}}\hfill \left(31\right)& \hfill {\mathtt{I}}_{\mathsf{required}}(\#\mathtt{n})={\mathtt{I}}_{\mathsf{required}}(\backslash \#\mathtt{n})& =& {\varnothing }_{\mathsf{interface}}\hfill \left(32\right)& \hfill {\mathtt{I}}_{\mathsf{required}}(+\mathtt{f}.\mathtt{m})={\mathtt{I}}_{\mathsf{required}}(-\mathtt{f}.\mathtt{m})& =& {\mathtt{I}}_{\mathsf{required}}\left(\mathtt{f}.\mathtt{m}\right)=\left\{\mathtt{f}.\mathtt{m}\right\}\hfill \left(33\right)& \hfill {\mathtt{I}}_{\mathsf{required}}(\mathtt{X};\mathtt{Y})& =& {\mathtt{I}}_{\mathsf{required}}\left(\mathtt{X}\right)\cup {\mathtt{I}}_{\mathsf{required}}\left(\mathtt{Y}\right)\hfill \left(34\right)& \hfill {\mathtt{I}}_{\mathsf{required}}\left({\mathtt{X}}^{!}\right)& =& {\mathtt{I}}_{\mathsf{required}}\left(\mathtt{X}\right)\hfill \end{array}$$

. Concerning these tables, some comments are in order.

• Interfaces are by default sets of focus method pairs. Interfaces may serve as the required interface for a thread, as the provided interface for a service family, or as the constraining interface for a (forthcoming) thread. ${\varnothing }_{\mathsf{interface}}$ is the empty interface. ${\mathtt{0}}_{\mathsf{service}-\mathsf{family}}$ is the empty service family. Its interface is empty as well.
• Services have a method interface which consists of method names only. ${\varnothing }_{\mathsf{method}-\mathsf{interface}}$ is the empty method interface. ${\mathtt{0}}_{\mathsf{service}}$ is the unique service without any method.
• The service family $\mathtt{f}.{\mathtt{0}}_{\mathsf{service}}$ differs from ${\varnothing }_{\mathsf{interface}}$ because it involves a focus $\mathtt{f}$. This complication is useful because it allows ⊕ to be a total, commutative, and associative operator. Suppose $\mathtt{m}\in {\mathtt{I}}_{\mathtt{methods}}\left({\mathtt{H}}_{\mathtt{1}}\right)\cap {\mathtt{I}}_{\mathtt{methods}}\left({\mathtt{H}}_{\mathtt{2}}\right)$ the result of a call $\mathtt{f}.\mathtt{m}$ to a service family $\mathtt{f}.{\mathtt{H}}_{\mathtt{1}}\oplus \mathtt{f}.{\mathtt{H}}_{\mathtt{2}}$ is hard to define. Non-determinism is to be avoided, and ⊕ is supposedly commutative. A simple way out is to avoid service families with multiple services under the same focus. Adopting $\mathtt{f}.\mathtt{H}\oplus \mathtt{f}.\mathtt{K}={\mathtt{0}}_{\mathsf{service}-\mathsf{family}}$ fails, as it renders ⊕ as being non-associative. However, adopting $\mathtt{f}.\mathtt{H}\oplus \mathtt{f}.\mathtt{K}=\mathtt{f}.{\mathtt{0}}_{\mathsf{service}}$, blocks ambiguous method calls and allows ⊕ to be commutative and associative, though not idempotent (i.e., $\mathtt{V}\oplus \mathtt{V}=\mathtt{V}$ fails on any service family $\mathtt{V}$ with ${\mathtt{I}}_{\mathtt{provided}}\left(\mathtt{V}\right)\ne {\varnothing }_{\mathsf{interface}}$).
• The notion of an interface occurs in quite different ways in the literature on software technology. Three clusters of use of the term “interface” may be distinguished as follows:

  -

  Operational interfaces: collections of primitives with definite meaning.

  *

  API: an application programmer interface is a toolkit in a software engineering environment;

  *

  Processor instruction sets;

  *

  Collections of message passing primitives (e.g., MPI).

  -

  Requirements of specification-oriented interfaces (interface elements come with limited information regarding semantics).

  *

  Modal interfaces (see, for example, [27]);

  *

  Interface automata (see, for example, [28]);

  *

  Algebraic specifications as interface of data types.

  -

  Syntactic interfaces. (comprising declarations of syntactic elements; interface elements come without a predefined semantics, but may have suggestive names or symbols).

  *

  Similarity types in universal algebra (interfaces for first order theories);

  *

  Signatures as interfaces for algebraic (abstract data type) specifications;

  *

  Sets (alphabets) of atomic actions as process interfaces in process algebra (see, for example, [17]);

  *

  Sets of basic actions as interfaces in program algebra and thread algebra (following, for example, [26].

  In the context of thread algebra, interfaces are used in the capacity of syntactic interfaces as well as in the capacity of operational interfaces (though in a theoretical manner).

2.6. Thread Service Interaction, Instruction Sequence Processing Operators

In PGA-style program algebra and the corresponding theory of instruction sequences, the general idea of an execution architecture is as follows: given a instruction sequence $\mathtt{X}$, thread extraction produces a thread $\left|\mathtt{X}\right|$. Threads are processes captured in a thread algebra which is a simplified process algebra. Threads have three forms: $\mathtt{S}$, the terminating (stopping) thread, $\mathtt{D}$ the deadlocked (diverging, improperly terminating) thread and $\mathtt{P}\equiv \mathtt{Q}⊴\mathtt{f}.\mathtt{m}⊵\mathtt{R}$, the basic action form of a thread. The stopped thread may be equipped with a result value, for instance, a bit: ${\mathtt{S}}_{\mathtt{0}}$ and ${\mathtt{S}}_{\mathtt{1}}$. Threads in basic action form can perform a unique basic action, say, for $\mathtt{P}$: $\mathtt{f}.\mathtt{m}$, which works as follows:

(step 1) Let the service in focus $\mathtt{f}$ (say the service name $\mathtt{H}$, which at the time of the method call is in state $\mathtt{s}$, or more precisely $\mathtt{H}\left(\mathtt{s}\right)$) performs the (its) method named $\mathtt{m}$, the service is offered from the context as given by the execution architecture.

(step 2) A Boolean reply is expected, at reply $\mathtt{true}$, the run proceeds with $\mathtt{Q}$, and at reply $\mathtt{false}$, the run proceeds with $\mathtt{R}$, and the reply is found by evaluating the reply condition $\theta (\mathtt{s},\mathtt{m})$ for method $\mathtt{m}$ to state $\mathtt{s}$, thereby obtaining Boolean value $\mathtt{b}$.

(step 3) In both cases the state $\mathtt{s}$ of $\mathtt{H}$ is updated with the effect function $\eta$ to $\mathtt{H}(\eta (\mathtt{s},\mathtt{m},\mathtt{b}))$.

Three operators connecting instruction sequences and service families come into play:

(i) The reply operator: $\left|\mathtt{X}\right|!\mathtt{H}$, which produces a bit in $\{\mathtt{true},\mathtt{false}\}$ and in which $\mathtt{X}$ is understood as a way to define (compute) a function from (states of) service families to bits. To allow definition of the reply operator, two different termination instructions are needed: $!:\mathtt{true}$ (terminate with result $\mathtt{true}$) and $!:\mathtt{false}$ (terminate with result $\mathtt{false})$.

(ii) The apply operator $\left|\mathtt{X}\right|•\mathtt{H}$ in which $\mathtt{X}$ is supposed to describe a transformation from $\mathtt{H}$ to a new state of it (i.e., to a new state for each of the services contained in it).

(iii) The use operator $\left|\mathtt{X}\right|/\mathtt{H}$, which produces a thread rather than a value or a service family (carrying the states of the various services). For $\left|\mathtt{X}\right|/\mathtt{H}$, the services combined in $\mathtt{H}$ act as local resources, to begin with memory sources, which support $\mathtt{X}$ in computing thread $\left|\mathtt{X}\right|/\mathtt{H}$.

Typically, one may imagine compositions $\left(\right|\mathtt{X}|/\mathtt{V})•\mathtt{W}$ where it is plausible though not necessary that the service families $\mathtt{V}$ and $\mathtt{W}$ have no focus in common (i.e., ${\mathtt{I}}_{\mathsf{focus}-\mathsf{collection}}\left(\mathtt{V}\right)\cap {\mathtt{I}}_{\mathsf{focus}-\mathsf{collection}}\left(\mathtt{W}\right)={\varnothing }_{\mathsf{focus}-\mathsf{collection}}$). Encapsulation drops services from a service family: with $\mathtt{U}$, a collection of foci, ${\partial }_{\mathtt{U}}\left(\mathtt{V}\right)$ removes from $\mathtt{V}$ each service accessible under a focus in $\mathtt{U}$. Assuming that $\mathtt{V}$ and $\mathtt{W}$ involve disjoint collections of foci results in the following useful identity:

$$\begin{array}{c}{\mathtt{I}}_{\mathsf{focus}-\mathsf{collection}}\left(\mathtt{V}\right)\cap {\mathtt{I}}_{\mathsf{focus}-\mathsf{collection}}\left(\mathtt{W}\right)={\varnothing }_{\mathsf{focus}-\mathsf{collection}}\to \\ \left(\right|\mathtt{X}|/\mathtt{V})•\mathtt{W}={\partial }_{{\mathtt{I}}_{\mathsf{focus}-\mathsf{collection}}\left(\mathtt{V}\right)}\left(\right|\mathtt{X}|•(\mathtt{V}\oplus \mathtt{W})\left)\right)\end{array}$$

3. Prospecting Services: Endowed with a Non-Ordinary Capability

Below, further lookahead conditions are introduced, as a follow up on the ones mentioned in Section 1.1. Prospecting refers to the capability of a service to evaluate one or more lookahead conditions. That is a non-ordinary capability. Foresight is a property of a system (here, an execution architecture) where one or more services perform as if they were able to forecast the actual and potential future behaviour of the system. Proper foresight is present if no ordinary service meets the given requirements.

The basic action foresight pattern, when realised, allows a system to use a certain service (here, $\mathtt{H}$) to operate in such a manner that a given basic action (viz. ${\mathtt{g}}_{\mathtt{i}}.\mathtt{m}$) will certainly be performed provided that basic action might occur with non-deterministic behaviour for $\mathtt{H}$. For an explanation of the conditions of the form $\mathtt{A}\underline{\mathtt{sat}}\mathtt{CALL}(\mathtt{h}.\mathtt{m})$, see Section 1.2 above.

Definition 2 (Basic action foresight pattern).

Let $\mathtt{n}>\mathtt{1}$ and let ${\mathtt{J}}_{\mathtt{1}},\dots ,{\mathtt{J}}_{\mathtt{n}}$ be method interfaces. Further, let $\mathtt{H}$ be a service with ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)=\left\{\mathtt{find}\right\}$ then an open architerm

$({\mathtt{X}}_{\mathtt{1}}⊴\mathtt{h}.\mathtt{find}⊵{\mathtt{X}}_{\mathtt{2}})•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{Y}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{Y}}_{\mathtt{n}}$ realises the basic action foresight pattern for some $\mathtt{i}\in \{\mathtt{1},\dots ,\mathtt{n}\}$ and method $\mathtt{m}\in {\mathtt{J}}_{\mathtt{i}}$ if for all ordinary (but arbitrary) services ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ with ${\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{1}}\right)\subseteq {\mathtt{J}}_{\mathtt{1}},\dots ,{\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{n}}\right)\subseteq {\mathtt{J}}_{\mathtt{n}}$, and for all threads $\mathtt{P},\mathtt{Q}$ with ${\mathtt{I}}_{\mathsf{required}}\left(\mathtt{P}\right)\cup {\mathtt{I}}_{\mathsf{required}}\left(\mathtt{Q}\right)\subseteq {\mathtt{I}}_{\mathtt{provided}}(\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})$, the following holds:

if $\mathtt{P}•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{m})$ or $\mathtt{Q}•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{m})$

then also, $(\mathtt{P}⊴\mathtt{h}.\mathtt{find}⊵\mathtt{Q})•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{m})$.

The example in Section 1.1 above (taking $\mathtt{i}=\mathtt{2}$ and $\mathtt{m}=\mathtt{m}\mathtt{2}$) provides a proof of the following proposition.

Proposition 1.

No ordinary service $\mathtt{H}$ satisfies the requirements of the basic action foresight pattern.

In Theorem 4 below, a prospecting service named MCP is shown to satisfy the requirements of the basic action foresight pattern. From the latter observation, it follows that the basic action foresight pattern is not self-contradictory.

3.1. Forecasting versus Prospection: Forecasting Patterns and Prospecting Services

Proposition 1 asserts that a certain foresight pattern will not emerge unless a service with prospecting capability is available. A foresight pattern may also be inconsistent (paradoxical, self-contradictory).

Foresight is reflexive in the sense that it works as if an agent (service) is well-informed about its own future behaviour, as well as about the behaviour of other agents (services). Prospection is non-reflexive, and refers to the capability of a service to acquire knowledge about the future behaviour of threads and other services in the same system. Lookahead conditions which occur in a service will work under the hypothesis that the service proceeds as an ordinary service (even if, in fact, it does not). For this limitation, see the preliminary definition of lookahead conditions and the remarks in Section 1.2 above. Using these conventions, prospection realised in a service by way of lookahead conditions will not have any paradoxical consequences, however hypothetical the evaluation of lookahead conditions in practice may be.

Proposition 2.

Let $\mathtt{i}\in \{\mathtt{1},\dots ,\mathtt{n}\}$, and let ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ be ordinary (i.e., non-prospecting) services and let the interface $\mathtt{J}$ be given by $\mathtt{J}=\{\mathtt{f}.\mathtt{ok}\}\cup {\mathtt{I}}_{\mathtt{provided}}({\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})$. Further let $\mathtt{TERM}$ be a lookahead service with ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{TERM}\right)=\left\{\mathtt{ok}\right\}$.

Now, it is not possible that for all threads $\mathtt{P}$ of the form $\mathtt{P}\equiv \mathtt{Q}⊴\mathtt{f}.\mathtt{ok}⊵{\mathtt{Q}}^{\prime }$, with ${\mathtt{I}}_{\mathsf{required}}\left(\mathtt{P}\right)\subseteq \mathtt{J}$, the following holds: the first call along focus $\mathtt{f}$ of the computation $\mathtt{P}•\mathtt{f}.\mathtt{TERM}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ returns $\mathtt{true}$ if and only if the computation of $\mathtt{P}•\mathtt{f}.\mathtt{TERM}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ properly terminates.

Proof. 

Suppose otherwise, and take $\mathtt{Q}\equiv \mathtt{D}$, ${\mathtt{Q}}^{\prime }\equiv \mathtt{S}$. Now the computation $(\mathtt{D}⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{S})•\mathtt{f}.\mathtt{TERM}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ terminates properly (ends in $\mathtt{S}$) if and only if the first (and only) method call $\mathtt{f}.\mathtt{ok}$ returns $\mathtt{true}$ if and only if the same computation diverges (ends in $\mathtt{D}$). □

Proposition 2 is a rephrasing of the argument on the non-existence of malware detection by Cohen [18]. The latter result works with an action $\mathtt{do}:\mathtt{harm}$ instead of termination. We will discuss this forecasting pattern in more detail in Section 3.3 below. It is informative to phrase Proposition 2 in terms of a foresight pattern.

3.2. More Primitive Lookahead Conditions R

Primitive lookahead conditions have the quality that these may be understood as outcomes of experimenting with an architerm as outlined in Definition 1 and subsequent comments. Besides the lookahead condition $\mathtt{A}\underline{\mathtt{sat}}\mathtt{CALL}(\mathtt{f}.\mathtt{m})$, which is introduced below Definition 1, the following lookahead conditions (for an architerm $\mathtt{A}$) are used below:

• $\mathtt{A}\underline{\mathtt{sat}}\mathtt{PERP}$ holds if the computation from $\mathtt{A}$ does not terminate (i.e., perpetuates).
• $\mathtt{A}\underline{\mathtt{sat}}\mathtt{TERMINATION}\left(\mathtt{ok}\right)$ if the computation starting from $\mathtt{A}$ properly terminates.
• $\mathtt{A}\underline{\mathtt{sat}}\mathtt{TERMINATION}(\mathtt{not}\_\mathtt{ok})$ asserts that the computation starting from $\mathtt{A}$ improperly terminates (i.e., ends in $\mathtt{D}$).
• $\mathtt{A}\underline{\mathtt{sat}}\mathtt{TERMINATIONat}(\mathtt{n},\mathtt{ok})$ asserts that in the $\mathtt{n}$’th step proper termination occurs.
• $\mathtt{A}\underline{\mathtt{sat}}\mathtt{TERMINATIONat}(\mathtt{n},\mathtt{not}\_\mathtt{ok})$ asserts that at the $\mathtt{n}$’th step improper termination occurs.
• $\mathtt{A}\underline{\mathtt{sat}}\mathtt{noCALL}(\mathtt{f}.\mathtt{m})$ asserts that the computation from architerm $\mathtt{A}$ at no stage performs a method call $\mathtt{f}.\mathtt{m}$. Here, the computation may not terminate or may terminate properly or improperly and if $\mathtt{f}\notin \{{\mathtt{g}}_{\mathtt{1}},\dots ,{\mathtt{g}}_{\mathtt{m}}\}$, $\neg \left(\mathtt{A}\underline{\mathtt{sat}}\mathtt{noCALL}(\mathtt{f}.\mathtt{m})\right)$ holds.
• $\mathtt{A}\underline{\mathtt{sat}}\mathtt{CALLat}(\mathtt{k},\mathtt{f}.\mathtt{m})$ asserts that the computation from architerm $\mathtt{A}$ performs a method call $\mathtt{f}.\mathtt{m}$ in step number $\mathtt{k}$ for a natural number $\mathtt{k}>\mathtt{0}$.

Definition 3 (Termination foresight pattern A).

Let $\mathtt{n}>\mathtt{1}$ and let ${\mathtt{J}}_{\mathtt{1}},\dots ,{\mathtt{J}}_{\mathtt{n}}$ be method interfaces. Further, let $\mathtt{H}$ be a service with method interface ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)=\left\{\mathtt{ok}\right\}$ then an open architerm ${\mathtt{X}}_{\mathtt{P}}•\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{Y}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{Y}}_{\mathtt{n}}$ realises the termination foresight pattern A if the following holds:

let ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ be ordinary services such that ${\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{1}}\right)\subseteq {\mathtt{J}}_{\mathtt{1}},\dots {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{n}}\right)\subseteq {\mathtt{J}}_{\mathtt{n}}$. Then, for all threads $\mathtt{Q},{\mathtt{Q}}^{\prime }$ with ${\mathtt{I}}_{\mathsf{required}}\left(\mathtt{Q}\right)\cup {\mathtt{I}}_{\mathsf{required}}\left({\mathtt{Q}}^{\prime }\right)\subseteq {\mathtt{I}}_{\mathtt{provided}}(\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})$, it is the case that: $(\mathtt{Q}⊴\mathtt{f}.\mathtt{ok}⊵{\mathtt{Q}}^{\prime })•\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{TERMINATION}\left(\mathtt{ok}\right)$, if and only if the first call of $\mathtt{f}.\mathtt{ok}$ in the computation $(\mathtt{Q}⊴\mathtt{f}.\mathtt{ok}⊵{\mathtt{Q}}^{\prime })•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ returns $\mathtt{true}$.

Proposition 1 entails that the termination foresight pattern A cannot be realised, not even with a prospecting service. That state of affairs is hardly surprising. Here is a similar foresight pattern for which it is less obvious that it cannot be realised.

Definition 4 (Termination foresight pattern B).

Let $\mathtt{n}>\mathtt{1}$ and let ${\mathtt{J}}_{\mathtt{1}},\dots ,{\mathtt{J}}_{\mathtt{n}}$ be method interfaces. Further let $\mathtt{H}$ be an SFS service (see Section 2.2 above) with method interface ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)=\left\{\mathtt{ok}\right\}$ and with state space $\mathtt{S}$ and initial state ${\mathtt{s}}_{\mathtt{0}}\in \mathtt{S}$, then an open architerm ${\mathtt{X}}_{\mathtt{P}}•\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{Y}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{Y}}_{\mathtt{n}}$ realises the termination foresight pattern B if the following holds:

let ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ be ordinary services such that ${\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{1}}\right)\subseteq {\mathtt{J}}_{\mathtt{1}},\dots {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{n}}\right)\subseteq {\mathtt{J}}_{\mathtt{n}}$ and assume that $\mathtt{m}\in {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{i}}\right)$. Then for all threads $\mathtt{Q},{\mathtt{Q}}^{\prime }$ with ${\mathtt{I}}_{\mathsf{required}}\left(\mathtt{Q}\right)\cup {\mathtt{I}}_{\mathsf{required}}\left({\mathtt{Q}}^{\prime }\right)\subseteq {\mathtt{I}}_{\mathtt{provided}}(\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})$, and for each state $\mathtt{s}\in \mathtt{S}$, it is the case that $\mathtt{Q}•\mathtt{f}.\mathtt{H}\left(\mathtt{s}\right)\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{TERMINATION}\left(\mathtt{ok}\right)$ if and only if the first call of $\mathtt{f}.\mathtt{ok}$ in the computation $(\mathtt{Q}⊴\mathtt{f}.\mathtt{ok}⊵{\mathtt{Q}}^{\prime })•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ returns $\mathtt{true}$.

Termination foresight pattern B is unrealisable, irrespective of any conceivable prospecting capabilities of $\mathtt{H}$:

Proposition 3.

Termination foresight pattern B cannot be realised by any ordinary or non-ordinary service $\mathtt{H}$.

Proof. 

Let $\mathtt{S}$ be the state space of $\mathtt{H}$ so that $\mathtt{H}=\mathtt{H}\left({\mathtt{s}}_{\mathtt{0}}\right)$ and choose $\mathtt{Q}$ and ${\mathtt{Q}}^{\prime }$ as follows: $\mathtt{Q}=\mathtt{Q}⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{S},{\mathtt{Q}}^{\prime }=\mathtt{S}$.

If ${\theta }_{\mathtt{H}}({\mathtt{s}}_{\mathtt{0}},\mathtt{ok})=\mathtt{false}$ then $\mathtt{Q}•\mathtt{f}.\mathtt{H}\left({\mathtt{s}}_{\mathtt{0}}\right)\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{TERMINATIONat}(\mathtt{2},\mathtt{ok})$ which contradicts the assumptions of the proposition. It follows that ${\theta }_{\mathtt{H}}({\mathtt{s}}_{\mathtt{0}},\mathtt{ok})=\mathtt{true}$, Now consider ${\mathtt{s}}_{\mathtt{1}}={\eta }_{\mathtt{H}}({\mathtt{s}}_{\mathtt{0}},\mathtt{ok},\mathtt{true})$. For ${\mathtt{s}}_{\mathtt{1}}$ it follows in the same way that ${\theta }_{\mathtt{H}}({\mathtt{s}}_{\mathtt{1}},\mathtt{ok})=\mathtt{true}$. In this way, an infinite sequence ${\mathtt{s}}_{\mathtt{0}},{\mathtt{s}}_{\mathtt{1}},{\mathtt{s}}_{\mathtt{2}},..$ results such that for all $\mathtt{i}$, ${\theta }_{\mathtt{H}}({\mathtt{s}}_{\mathtt{i}},\mathtt{ok})=\mathtt{true}$ and ${\mathtt{s}}_{\mathtt{i}+\mathtt{1}}={\eta }_{\mathtt{H}}({\mathtt{s}}_{\mathtt{i}},\mathtt{ok},\mathtt{true})$. It follows that $\mathtt{Q}•\mathtt{f}.\mathtt{H}\left({\mathtt{s}}_{\mathtt{0}}\right)\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{PERP}$ so that termination does not occur, which contradicts the assumption that the reply to the first method call equals $\mathtt{true}$, i.e., ${\theta }_{\mathtt{H}}({\mathtt{s}}_{\mathtt{0}},\mathtt{ok})=\mathtt{true}$. □

3.3. SHRD: A Hypothetical Service for Security Hazard Risk Detection

We contemplate a service $\mathtt{SHRD}$ (security hazard risk detection), according to which the occurrence of method call ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm}$ constitutes a security hazard, and which supports running a thread in such a way that the risk of a security hazard is detected and an alternative option for proceeding the computation is taken. The following result states the impossibility result of Cohen in terms of threads and services. This formalisation is based on [29].

Malware detection in practice, and in theory, amounts to much more than the mere detection of the future occurrence of a single basic action. For instance, in [30], the occurrence of runs of certain instruction sequences as subcomputations, perhaps interspersed with other steps, of the run of an instruction sequence is considered an indication/confirmation of a virus infection.

Proposition 4.

Let $\mathtt{i}\in \{\mathtt{1},\dots ,\mathtt{n}\}$ and let ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ be ordinary services with $\mathtt{do}:\mathtt{harm}\in {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{i}}\right)$, and let the interface $\mathtt{J}$ be given by $\mathtt{J}=\{\mathtt{f}.\mathtt{ok}\}\cup {\mathtt{I}}_{\mathtt{provided}}({\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})$. Let $\mathtt{SHRD}$ (for security hazard determination) be a (possibly non-ordinary) service with method interface ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{SHRD}\right)=\left\{\mathtt{ok}\right\}$.

Now, it is not possible that for all threads $\mathtt{P}$ of the form $\mathtt{P}\equiv \mathtt{Q}⊴\mathtt{f}.\mathtt{ok}⊵{\mathtt{Q}}^{\prime }$ with ${\mathtt{I}}_{\mathsf{required}}\left(\mathtt{P}\right)\subseteq \mathtt{J}$, the following holds: the first call along focus $\mathtt{f}$ of the computation $\mathtt{P}•\mathtt{f}.\mathtt{SHRD}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ returns $\mathtt{true}$ if and only if the computation of $\mathtt{P}•\mathtt{f}.\mathtt{SHRD}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ does not involve a method call ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm}$.

Proof. 

Suppose otherwise, and take $\mathtt{Q}\equiv \mathtt{do}:\mathtt{harm}\circ \mathtt{S}$, ${\mathtt{Q}}^{\prime }\equiv \mathtt{S}$. Then, one finds that the computation $((\mathtt{do}:\mathtt{harm}\circ \mathtt{S})⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{S})•\mathtt{f}.\mathtt{SHRD}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ avoids performing ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm}$ if and only if the first (and only) method call $\mathtt{f}.\mathtt{ok}$ returns $\mathtt{true}$ if and only if the same computation performs ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm}$ (and then terminates). □

Now assume, irrespective of Proposition 4, that an $\mathtt{SHRD}$-like service is available as suggested in the proposition. Plausibly, $\mathtt{SHRD}$ would be used in the following manner: in a context $(\mathtt{Q}⊴\mathtt{f}.\mathtt{ok}⊵{\mathtt{Q}}^{\prime })•\mathtt{f}.\mathtt{SHRD}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ call $\mathtt{f}.\mathtt{ok}$ in order to prevent a run of $\mathtt{Q}$ leading to a method call ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm}$ and instead to engage in a run of ${\mathtt{Q}}^{\prime }$, thereby hopefully avoiding ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm}$. Although $\mathtt{SHRD}$ as indicated above in Proposition 4 cannot exist, a lookahead service which allows the particular use just mentioned is conceivable. In the following paragraph, such a service is defined under the name $\mathtt{SHRAT}$. $\mathtt{SHRAT}$ will be a service of the form ${\mathtt{L}}_{\theta }^{\mathtt{ok},\mathtt{s}}$ according to the following definition.

Definition 5.

Let the service ${\mathtt{L}}_{\theta }^{\mathtt{m},\mathtt{s}}$ has singleton state space $\left\{\mathtt{s}\right\}$ and ${{\mathtt{I}}_{\mathsf{method}}(\mathtt{L}}_{\theta }^{\mathtt{m},\mathtt{s}})=\left\{\mathtt{w}\right\}$ and when accessible under focus $\mathtt{f}$ in an architerm $\mathtt{A}$ it works as follows: on method call $\mathtt{f}.\mathtt{m}$ evaluate $\mathtt{b}=\theta (\mathtt{s},\mathtt{m})$, then return $\mathtt{b}$, without changing the state.

3.4. SHRAT: A Prospecting Service for Security Hazard Risk Assessment

In [31], the possibility of a service $\mathtt{SHRAT}$ (security hazard risk assessment) service is contemplated, which, supposedly, determines during the operation of an instruction sequence $\mathtt{X}$, the text of which is known to the service, and can determine whether or not the thread created by the instruction sequence will in the future perform a method call $\mathtt{do}:\mathtt{harm}$ to an unnamed service.

A method call $\mathtt{ok}$ to $\mathtt{SHRAT}$ aims to determine whether or not “the future is ok”, i.e., no $\mathtt{do}:\mathtt{harm}$ action will be performed. We will rephrase this idea with more emphasis on interfaces than in the presentation in [31]. To begin with the unnamed service is given name $\mathtt{K}$ and is present via the interface under focus $\mathtt{g}$.

We imagine a service $\mathtt{SHRAT}$ with a single method $\mathtt{ok}$ and a single state $\mathtt{s}$. In slight contrast with $\mathtt{SHRAT}$ one may imagine a service ${\mathtt{K}}_{\mathtt{i}}$ with method interface ${\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{i}}\right)$ containing a method $\mathtt{do}:\mathtt{harm}$. Most methods from ${\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{i}}\right)$ constitute useful (friendly) operations on the state space of $\mathtt{K}$, while the method $\mathtt{do}:\mathtt{harm}$ brings its state in disarray, so that it may be called only under special circumstances.

Let $\mathtt{X}$ be an instruction sequence such that

$${\mathtt{I}}_{\mathsf{required}}\left(\mathtt{X}\right)\subseteq \mathtt{J}{=}_{\mathtt{def}}{\mathtt{I}}_{\mathtt{provided}}(\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\left({\mathtt{s}}_{\mathtt{1}}\right)\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\left({\mathtt{s}}_{\mathtt{n}}\right))$$

The application of $\mathtt{X}$ to a service family ${\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\left({\mathtt{s}}_{\mathtt{1}}\right)\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\left({\mathtt{s}}_{\mathtt{n}}\right)$ while making use of the support of the (possibly non-ordinary) service $\mathtt{SHRAT}$ amounts to application of the thread $\left|\mathtt{X}\right|$ extracted from the instruction sequence $\mathtt{X}$ to the service family $\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\left({\mathtt{s}}_{\mathtt{1}}\right)\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\left({\mathtt{s}}_{\mathtt{n}}\right)$ followed by forgetting $\mathtt{f}.\mathtt{SHRAT}$, thereby obtaining

$${\partial }_{\mathtt{f}}\left(\right|\mathtt{X}|•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\left({\mathtt{s}}_{\mathtt{1}}\right)\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\left({\mathtt{s}}_{\mathtt{n}}\right))$$

Now the idea is that in a thread $\mathtt{P}⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{Q}$, when effectuated in the context of a service family $\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$, the reply of $\mathtt{SHRAT}$ on the call $\mathtt{ok}$ is positive if the computation of $\mathtt{P}•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ will not involve any call of the form ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm}$ while the reply is negative otherwise. Here, it is assumed that $\mathtt{P}$ and $\mathtt{Q}$ are threads arising from thread extraction of states of $\mathtt{X}$ so that the required interface of both $\mathtt{P}$ and $\mathtt{Q}$ is included in $\mathtt{J}$ as introduced above.

For example, taking $\mathtt{n}=\mathtt{1}$, if $\mathtt{P}$ contains a single occurrence of ${\mathtt{g}}_{\mathtt{1}}.\mathtt{do}:\mathtt{harm}$, it still may be the case that this particular method call will certainly not be performed so that a positive reply of $\mathtt{f}.\mathtt{ok}$ can be given by $\mathtt{SHRAT}$. For instance if ${\mathtt{K}}_{\mathtt{1}}\left(\mathtt{s}\right)$ returns $\mathtt{false}$ on $\mathtt{m}\mathtt{1}$ then in

$$(({\mathtt{g}}_{\mathtt{1}}.\mathtt{do}:\mathtt{harm}\circ \mathtt{S}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}⊵{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{2}\circ \mathtt{S})⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{S})•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\left(\mathtt{s}\right)$$

the call of $\mathtt{f}.\mathtt{ok}$ returns $\mathtt{true}$ and thus:

$${\partial }_{\mathtt{f}}((({\mathtt{g}}_{\mathtt{1}}.\mathtt{do}:\mathtt{harm}\circ \mathtt{S}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}⊵{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{2}\circ \mathtt{S})⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{S})•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\left(\mathtt{s}\right))=$$

$$({\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}\circ {\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{2}\circ \mathtt{S})•{\mathtt{K}}_{\mathtt{1}}\left(\mathtt{s}\right)={\mathtt{K}}_{\mathtt{1}}\left({\mathtt{effect}}_{\mathtt{m}\mathtt{2}}\left({\mathtt{effect}}_{\mathtt{m}\mathtt{1}}\left(\mathtt{s}\right)\right)\right)$$

With this idea in mind, a definition of the functionality of the lookahead service $\mathtt{SHRAT}$ can be given as follows. ($\mathtt{RFS}$ is defined in Section 2.1 above).

Definition 6.

The assertion ${\theta }_{\mathtt{SHRAT}}$ with arguments $\mathtt{Q},{\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ is as follows: ${\theta }_{\mathtt{SHRAT}}\equiv$

$\exists \beta :{\left\{\mathtt{ok}\right\}}^{+}\to \{\mathtt{true},\mathtt{false}\}[\mathtt{Q}•\mathtt{g}.\mathtt{RFS}\left(\right\{\mathtt{ok}\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{noCALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm})]$

Definition 7.

$\mathtt{SHRAT}$ determines its reply to a method call $(\mathtt{Q}⊴\mathtt{f}.\mathtt{ok}⊵{\mathtt{Q}}^{\prime })•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ as follows: first determine the truth value (say $\mathtt{b}$ of the assertion ${\theta }_{\mathtt{SHRAT}}$ as in Definition 6) with arguments $\mathtt{Q},{\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{m}}$; then the reply given by $\mathtt{SHRAT}$ to the call $\mathtt{f}.\mathtt{ok}$ equals $\mathtt{b}$ while the state is left unchanged.

In this definition, the form of $\mathsf{\Phi }$ matters. In particular, if one or more of the services ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ have prospecting capability and $\mathtt{SHRAT}$ is informed about that fact, then when evaluating ${\theta }_{\mathtt{SHRAT}}$, it is “known” that when evaluating $\mathtt{Q}•\mathtt{f}.\mathtt{RFS}\left(\right\{\mathtt{ok}\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ the services ${\mathtt{K}}_{\mathtt{i}}$ operate on the basis of the information that the service accessible via focus $\mathtt{f}$ behaves as an ordinary service, thus reducing the number of non-ordinary services in the service family at hand. It follows that replies of $\mathtt{SHRAT}$ are well defined also without the assumption that the services ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ are ordinary services.

3.5. Obtaining Lookahead Functionality with $\mathtt{SHRAT}$

We first formalise with Proposition 5 the intuition that the sought foresight pattern cannot be provided by an ordinary service. Then Theorem 1 captures how $\mathtt{SHRAT}$ realises the required foresight pattern.

Proposition 5.

Let $\mathtt{i}\in \{\mathtt{1},\dots ,\mathtt{n}\}$ and let ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ be ordinary (i.e., non lookahead) services with $\mathtt{do}:\mathtt{harm}\in {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{i}}\right)$. Let $\mathtt{H}$ be an ordinary service with method interface ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)=\left\{\mathtt{ok}\right\}$.

Then it cannot be the case that for all threads $\mathtt{P}$ and $\mathtt{Q}$ both with required interfaces included in $\mathtt{J}={\mathtt{I}}_{\mathtt{provided}}(\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})$ the following holds: the reply of the service $\mathtt{H}$ to the first method call in the computation $(\mathtt{P}⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{Q})•\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ equals $\mathtt{true}$ if and only if

$\mathtt{P}•\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{noCALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm})$.

Proof. 

There are two cases: ${\mathtt{reply}}_{\mathtt{ok}}\left(\mathtt{H}\right)=\mathtt{true}$ and ${\mathtt{reply}}_{\mathtt{ok}}\left(\mathtt{H}\right)=\mathtt{false}$. In the first case, choose $\mathtt{P}\equiv {\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm}\circ \mathtt{S}$ and $\mathtt{Q}\equiv \mathtt{S}$ and in the second case choose $\mathtt{P}\equiv \mathtt{S}$ and $\mathtt{Q}\equiv \mathtt{S}$. In both cases the required equivalence fails. □

Theorem 1.

Let $\mathtt{i}\in \{\mathtt{1},\dots ,\mathtt{n}\}$ and let ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ be ordinary (i.e., non lookahead) services with $\mathtt{do}:\mathtt{harm}\in {\mathtt{I}}_{{\mathtt{K}}_{\mathtt{i}}}$, and let $\mathtt{P}$ and $\mathtt{Q}$ be threads both with required interfaces included in $\mathtt{J}=\{\mathtt{f}.\mathtt{ok}\}\cup {\mathtt{I}}_{\mathtt{provided}}({\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \dots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})$.

Then the reply of the service $\mathtt{SHRAT}$ (as defined above) to the first method call in the computation $(\mathtt{P}⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{Q})•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ equals $\mathtt{true}$ if and only if

$\mathtt{P}•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{noCALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm})$

Proof. 

Without loss of generality, we will assume that $\mathtt{n}=\mathtt{i}=\mathtt{1}$ and we will write $\mathtt{K}$ instead of ${\mathtt{K}}_{\mathtt{1}}$ and $\mathtt{g}$ instead of ${\mathtt{g}}_{\mathtt{1}}$. Let $\mathtt{V}$ be a state space with $\mathtt{r}\in \mathtt{V}$ so that $\mathtt{K}=\mathtt{K}\left(\mathtt{r}\right)$. We will distinguish two cases in this order: (i) the case that the computation $\mathtt{P}•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left(\mathtt{r}\right)$ involves a method call $\mathtt{g}.\mathtt{do}:\mathtt{harm}$, and (ii) the case that it does not.

For case (i), suppose that the computation $\mathtt{P}•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left(\mathtt{r}\right)$ involves a method call $\mathtt{g}.\mathtt{do}:\mathtt{harm}$. It is shown that the reply by $\mathtt{SHRAT}$ to the first method call of the computation $(\mathtt{P}⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{Q})•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left(\mathtt{r}\right)$ equals $\mathtt{false}$. To this end, it suffices to prove that for each infinite sequence of Boolean values $\beta ={\mathtt{b}}_{\mathtt{0}},{\mathtt{b}}_{\mathtt{1}},\dots$, the computation $\mathtt{P}•\mathtt{f}.\mathtt{RFS}\left(\right\{\mathtt{ok}\},\beta )\oplus \mathtt{g}.\mathtt{K}(\mathtt{r})$ involves a basic action $\mathtt{g}.\mathtt{do}:\mathtt{harm}$. If not, choose a thread ${\mathtt{P}}^{\prime }$ with required interface included in $\mathtt{J}$ and ${\mathtt{r}}^{\prime }\in \mathtt{V}=\mathtt{STATES}\left(\mathtt{K}\right)$ such that (i) the computation from architerm ${\mathtt{P}}^{\prime }•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right))$ involves a method call $\mathtt{g}.\mathtt{do}:\mathtt{harm}$, (ii) for some finite or infinite sequence of Boolean values $\beta ={\mathtt{b}}_{\mathtt{1}},{\mathtt{b}}_{\mathtt{2}},\dots$ the computation $\mathtt{P}•\mathtt{f}.\mathtt{RFS}\left(\right\{\mathtt{ok}\},\beta )\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ involves no basic action $\mathtt{g}.\mathtt{do}:\mathtt{harm}$, (iii) the number $\mathtt{n}$ of steps of the computation of ${\mathtt{P}}^{\prime }•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ until its first call of $\mathtt{g}.\mathtt{do}:\mathtt{harm}$ is minimal, say ${\mathtt{n}}_{\mathtt{min}}$. A contradiction is derived from a case distinction on the structure of ${\mathtt{P}}^{\prime }$.

Consider first the case that ${\mathtt{P}}^{\prime }\equiv \mathtt{S}$, $\mathtt{S}•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ terminates at once and does not involve an occurrence of the basic action $\mathtt{g}.\mathtt{do}:\mathtt{harm}$, thereby contradicting requirement (i) on ${\mathtt{P}}^{\prime }$ and $r^{\prime }$. A similar argument applies if ${\mathtt{P}}^{\prime }\equiv \mathtt{D}$. Now suppose that ${\mathtt{P}}^{\prime }\equiv {\mathtt{P}}_{\mathtt{1}}^{\prime }⊴\mathtt{g}.\mathtt{do}:\mathtt{harm}⊵{\mathtt{P}}_{\mathtt{2}}^{\prime }$. In this case, there is no $\beta$ such that the computation ${\mathtt{P}}^{\prime }•\mathtt{f}.\mathtt{RFS}(\left\{\mathtt{ok}\right\},\beta )\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ avoids performing basic action $\mathtt{g}.\mathtt{do}:\mathtt{harm}$, thereby contradicting requirement (ii) on the choice of ${\mathtt{P}}^{\prime }$ and $r^{\prime }$. Next let ${\mathtt{P}}^{\prime }\equiv {\mathtt{P}}_{\mathtt{1}}^{\prime }⊴\mathtt{g}.\mathtt{m}⊵{\mathtt{P}}_{\mathtt{2}}^{\prime }$ for $\mathtt{m}\in {\mathtt{I}}_{\mathtt{K}}$. Now, two cases are distinguished: ${\mathtt{reply}}_{\mathtt{m}}\left({\mathtt{r}}^{\prime }\right)=\mathtt{true}$ and ${\mathtt{reply}}_{\mathtt{m}}\left({\mathtt{r}}^{\prime }\right)=\mathtt{false}$. Consider the first case, then in one step, the architerm $({\mathtt{P}}_{\mathtt{1}}^{\prime }⊴\mathtt{g}.\mathtt{m}⊵{\mathtt{P}}_{\mathtt{2}}^{\prime })•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ evolves to the architerm ${\mathtt{P}}_{\mathtt{1}}^{\prime }•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}({\mathtt{effect}}_{\mathtt{m}}\left({\mathtt{r}}^{\prime }\right)$. Now, it must be the case that (a) the computation from the latter architerm involves an occurrence of $\mathtt{g}.\mathtt{do}:\mathtt{harm}$ (because of assumption (i) on ${\mathtt{P}}^{\prime }$ and ${\mathtt{r}}^{\prime })$, (b) for some $\beta$ (the same as for the combination ${\mathtt{P}}^{\prime }$ and ${\mathtt{r}}^{\prime }$) the computation ${\mathtt{P}}_{\mathtt{1}}^{\prime }•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{effect}}_{\mathtt{m}}\left({\mathtt{r}}^{\prime }\right)\right)$ does not involve an occurrence of the basic action $\mathtt{g}.\mathtt{do}:\mathtt{harm}$, and (c) the number of steps in the computation of ${\mathtt{P}}_{\mathtt{1}}^{\prime }•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{effect}}_{\mathtt{m}}\left({\mathtt{r}}^{\prime }\right)\right)$ until the first call of $\mathtt{g}.\mathtt{do}:\mathtt{harm}$ equals ${\mathtt{n}}_{\mathtt{min}}-\mathtt{1}$ which contradicts the minimality of ${\mathtt{n}}_{\mathtt{min}}$. The case ${\mathtt{reply}}_{\mathtt{m}}\left({\mathtt{r}}^{\prime }\right)=\mathtt{false}$ works in the same way. Finally consider the case ${\mathtt{P}}^{\prime }\equiv {\mathtt{P}}_{\mathtt{1}}^{\prime }⊴\mathtt{f}.\mathtt{ok}⊵{\mathtt{P}}_{\mathtt{2}}^{\prime }$. There are two subcases: in the first step of the computation of ${\mathtt{P}}^{\prime }•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$$\mathtt{SHRAT}$ returns $\mathtt{true}$ (subcase 1) or it returns $\mathtt{false}$ (subcase 2).

(Subcase 1). If $\mathtt{SHRAT}$ returns $\mathtt{true}$, then it is known that (a) the computation of ${\mathtt{P}}_{\mathtt{1}}^{\prime }•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ involves an occurrence of $\mathtt{g}.\mathtt{do}:\mathtt{harm}$ (because of requirement (i) on ${\mathtt{P}}^{\prime }$ and ${\mathtt{r}}^{\prime }$), (b) there is a sequence $\alpha$ such that the computation ${\mathtt{P}}_{\mathtt{1}}^{\prime }•\mathtt{f}.\mathtt{RFS}(\left\{\mathtt{ok}\right\},\alpha )\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ does not contain an occurrence of $\mathtt{g}.\mathtt{do}:\mathtt{harm}$ (the existence of $\alpha$ is obtained from the definition of $\mathtt{SHRAT}$ and the fact that its most recent reply was positive), and (c) the number of steps in this computation until the first occurrence of $\mathtt{g}.\mathtt{do}:\mathtt{harm}$ equals ${\mathtt{n}}_{\mathtt{min}}-\mathtt{1}$. Together, (a), (b), and (c) contradict the minimality of ${\mathtt{n}}_{\mathtt{min}}$ for ${\mathtt{P}}^{\prime }$ and ${\mathtt{r}}^{\prime }$.

(Subcase 2). The case that $\mathtt{SHRAT}$ returns $\mathtt{false}$ begins with the observation (a) that because the computation $({\mathtt{P}}_{\mathtt{1}}^{\prime }⊴\mathtt{f}.\mathtt{ok}⊵{\mathtt{P}}_{\mathtt{2}}^{\prime })•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ involves a call $\mathtt{g}.\mathtt{do}:\mathtt{harm}$ so does the computation from the next step (because of the assumption made on the value of the call $\mathtt{f}.\mathtt{ok}$) ${\mathtt{P}}_{\mathtt{2}}^{\prime }•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$; observation (b) reads that ${\mathtt{b}}_{\mathtt{1}}=\mathtt{false}$. To see this, notice that due to the definition of $\mathtt{SHRAT}$, the fact that the most recent reply to a call $\mathtt{f}.\mathtt{ok}$ was negative must have been caused by the fact that, for each $\alpha$, each computation starting from the architerm ${\mathtt{P}}_{\mathtt{1}}^{\prime }•\mathtt{f}.\mathtt{RFS}(\left\{\mathtt{ok}\right\},\alpha )\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ involves a call $\mathtt{g}.\mathtt{do}:\mathtt{harm}$. It follows from the latter that ${\mathtt{b}}_{\mathtt{1}}$ (the reply to the recent call $\mathtt{f}.\mathtt{ok}$ as encoded in $\beta$) must be $\mathtt{false}$.

The computation from architerm ${({\mathtt{P}}_{\mathtt{1}}^{\prime }⊴\mathtt{f}.\mathtt{ok}⊵{\mathtt{P}}_{\mathtt{2}}^{\prime })}^{\prime }•\mathtt{f}.\mathtt{RFS}(\left\{\mathtt{ok}\right\},\beta )\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ involves no call $\mathtt{g}.\mathtt{do}:\mathtt{harm}$, and together with ${\mathtt{b}}_{\mathtt{1}}=\mathtt{false}$, it follows that the computation from architerm ${\mathtt{P}}_{\mathtt{2}}^{\prime }•\mathtt{f}.\mathtt{RFS}\left({\beta }^{\prime }\right)\oplus \mathtt{g}.\mathtt{K}\left({\mathtt{r}}^{\prime }\right)$ (with ${\beta }^{\prime }={\mathtt{b}}_{\mathtt{2}},{\mathtt{b}}_{\mathtt{3}},\dots$) contains no call $\mathtt{g}.\mathtt{do}:\mathtt{harm}$ either. Finally notice (c) that the length of the latter computation is ${\mathtt{n}}_{\mathtt{min}}-\mathtt{1}$. Together, (a), (b), and (c) contradict the minimality of ${\mathtt{n}}_{\mathtt{min}}$, which concludes subcase 2.

In the second part of the proof, regarding case (ii) ($\mathtt{P}•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left(\mathtt{r}\right)$ does not involve a method call $\mathtt{g}.\mathtt{do}:\mathtt{harm}$) one may assume that the computation of $\mathtt{P}•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left(\mathtt{r}\right)$ does not contain a method call $\mathtt{g}.\mathtt{do}:\mathtt{harm}$.

We show that the first reply of $\mathtt{SHRAT}$ to a call $\mathtt{f}.\mathtt{ok}$ (in the computation of $(\mathtt{P}⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{Q})•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left(\mathtt{r}\right)$) equals $\mathtt{true}$. Consider the finite or infinite sequence of Boolean values $\alpha ={\mathtt{a}}_{\mathtt{0}},{\mathtt{a}}_{\mathtt{1}},\dots$ such that the successive calls (if any) of $\mathtt{f}.\mathtt{ok}$ in the computation of $\mathtt{P}•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left(\mathtt{r}\right)$ are replied to by $\mathtt{SHRAT}$ as encoded in $\alpha$. Making use of the fact that $\mathtt{K}$ is not a lookahead service, and that, consequently, its replies will only depend on the state of the service at the moment of a call being made and, of course, on the particular method which is being called, while its replies cannot not depend on future behaviour of the system, the architerm $\mathtt{P}•\mathtt{f}.\mathtt{RFS}\left(\right\{\mathtt{ok}\},\alpha )\oplus \mathtt{g}.\mathtt{K}(\mathtt{r})$ produces the same computation, and for that reason, it does not contain an occurrence of the method call $\mathtt{g}.\mathtt{do}:\mathtt{harm}$. Now it follows from clause (b) in the definition of the behaviour of $\mathtt{SHRAT}$ that the reply given to the first call of $\mathtt{f}.\mathtt{ok}$ in the computation of $(\mathtt{P}⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{Q})•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.\mathtt{K}\left(\mathtt{r}\right)$ equals $\mathtt{true}$. □

Definition 8.

${\mathtt{SHRAT}}^{\mathtt{fst}/\mathtt{fss}}$ is the restriction of $\mathtt{SHRAT}$ to finite state threads (fst) and finite state services (fss).

Proposition 6.

${\mathtt{SHRAT}}^{\mathtt{fst}/\mathtt{fss}}$ is a computable service taking as additional inputs for the determination of a reply on a method call $\mathtt{ok}$ a combination of two finite PGLB instruction sequences for the representation of the threads $\mathtt{P}$ and $\mathtt{Q}$ and finite state machines for the representation of the services ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{m}}$.

Proof. 

A decision method for $\mathsf{\Phi }$ (in the definition of $\mathtt{SHRAT}$) is as follows: Given arguments $\mathtt{P},{\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ let ${\mathtt{u}}_{\mathtt{p}}={\#}_{\mathtt{STATES}}\left(\mathtt{P}\right),{\mathtt{u}}_{\mathtt{1}}={\#}_{\mathtt{STATES}}\left({\mathtt{K}}_{\mathtt{1}}\right),\dots ,{\#}_{\mathtt{STATES}}\left({\mathtt{K}}_{\mathtt{n}}\right)$ be the respective sizes (number of elements) of the respective state spaces of these components. We find that a computation path without a call ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm}$ $\mathtt{P}•\mathtt{f}.\mathtt{SHRAT}\oplus \mathtt{g}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus \mathtt{g}.{\mathtt{K}}_{\mathtt{n}}$ can have at most $\mathtt{u}={\mathtt{u}}_{\mathtt{p}}·{\mathtt{u}}_{\mathtt{1}}·\dots ·{\mathtt{u}}_{\mathtt{n}}$ steps unless it gets into a cycle. So by checking all paths of a length of $\mathtt{u}$ steps it can be found if there is a (possibly cyclic) path without a call to ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm}$, in which case the sequence of successive replies to calls $\mathtt{f}.\mathtt{ok}$ provides a cyclic sequence $\beta$ as required, while otherwise, no such $\beta$ exists. □

Definition 9.

${\mathtt{SHRAT}}^{\mathtt{fst}/\mathtt{fss}/\mathtt{tts}}$ is the restriction of $\mathtt{SHRAT}$ to finite state threads (fst) and a combination of finite state services (fss) with ${\mathtt{K}}_{\mathtt{1}}$ a service for a Turing tape (tts).

Proposition 7.

${\mathtt{SHRAT}}^{\mathtt{fst}/\mathtt{fss}/\mathtt{tts}}$ is a non-computable service taking as additional inputs for the determination of a reply on a method call $\mathtt{ok}$ a combination of two finite PGLB instruction sequences for the representation of the threads $\mathtt{P}$ and $\mathtt{Q}$, a bit sequence for the tape architerm for ${\mathtt{K}}_{\mathtt{1}}$, and finite state machines for the representation of the services ${\mathtt{K}}_{\mathtt{2}},\dots ,{\mathtt{K}}_{\mathtt{m}}$.

Proof. 

We consider the collection $\mathtt{U}$ of PGLB instruction sequences with required interface included in ${\mathtt{g}}_{\mathtt{1}}.{\mathtt{I}}_{\mathtt{r}}\left(\mathtt{TTS}\right)$ and such that termination can only occur at the last instruction (which must be !). Termination of computations of the form $|\mathtt{P};!|•{\mathtt{g}}_{\mathtt{1}}.\mathtt{TSS}$ is well known to be not computationally decidable. We find that for $\mathtt{P};!\in \mathtt{U}$: the computation from $|\mathtt{P};!|•{\mathtt{g}}_{\mathtt{1}}.\mathtt{TSS}$ terminates if and only if the computation from $|\mathtt{P};{\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm};!|•{\mathtt{g}}_{\mathtt{1}}.\mathtt{TSS}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ involves a call ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm}$, if and only if the initial call $\mathtt{f}.\mathtt{ok}$ in the computation $\left(\right|\mathtt{P};{\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm};!|⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{S})•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.\mathtt{TSS}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ receives reply $\mathtt{false}$. If $\mathtt{SHRAT}$ is a computable service, it follows that the halting problem for PGLB instruction sequences over a Turing tape service is decidable as well, which is not the case. □

The notion of a lookahead service leaves open the possibility of the interaction of multiple lookahead services, and suggests possible generalisations of Theorem 1, with one or more of the ${\mathtt{K}}_{\mathtt{i}}$ featuring lookahead capability. This suggestion leads to the following result.

Theorem 2.

The condition for Theorem 1 that ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$ are ordinary services is a necessary condition for Theorem 1.

Proof. 

Let $\mathtt{n}=\mathtt{i}=\mathtt{2}$ in the notation of Theorem 1. We assume that ${\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{1}}\right)=\{\mathtt{m}\mathtt{1},\mathtt{m}\mathtt{2},\mathtt{m}\mathtt{3}\}$ and ${\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{2}}\right)=\{\mathtt{do}:\mathtt{harm},\mathtt{u}\mathtt{1},\mathtt{u}\mathtt{2}\}$. We consider the following example:

$\mathtt{P}\equiv ({\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{1}\circ ({\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm}\circ \mathtt{S}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{2}⊵\mathtt{S}))⊴\mathtt{f}.\mathtt{ok}⊵({\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{2}\circ ({\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm}\circ \mathtt{S}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{3}⊵\mathtt{S})))⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}⊵\mathtt{S}$ and $\mathtt{Q}\equiv \mathtt{S}$. Moreover, ${\mathtt{K}}_{\mathtt{2}}$ is an ordinary service such that $\mathtt{do}:\mathtt{harm}\in {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{2}}\right)$. ${\mathtt{K}}_{\mathtt{1}}$, however, is a non-ordinary service, which is defined as follows:

(i) ${\mathtt{K}}_{\mathtt{1}}$ has a single state only, so none of its actions results in a state change.

(ii) On $\mathtt{m}\mathtt{2}$ and $\mathtt{m}\mathtt{3}$, the reply is always $\mathtt{true}$.

(iii) on $\mathtt{m}\mathtt{1}$, the evaluation of $\theta (\mathtt{s},\mathtt{m}\mathtt{1})$ for ${\mathtt{K}}_{\mathtt{1}}$ in a context $({\mathtt{R}}_{\mathtt{1}}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}⊵{\mathtt{R}}_{\mathtt{2}})•\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ depends on prospection as follows: $\theta (\mathtt{s},\mathtt{m}\mathtt{1})$ is $\mathtt{false}$ (and with it the reply of $\mathtt{f}.{\mathtt{K}}_{\mathtt{1}}$ to the call $\mathtt{f}.\mathtt{m}$), if and only if there are two different ordinary services ${\mathtt{K}}_{\mathtt{a}}$ and ${\mathtt{K}}_{\mathtt{b}}$ so that ${\mathtt{R}}_{\mathtt{1}}•\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{a}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{1})$ and ${\mathtt{R}}_{\mathtt{1}}•\mathtt{f}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{b}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{2})$.

(iv) On $\mathtt{m}\mathtt{1}$ there is no state change.

Now adopting the definition of $\mathtt{SHRAT}$ as given above, consider the computation starting from $(\mathtt{P}⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{Q})•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$. This computation, however, does not comply with the requirement on $\mathtt{f}.\mathtt{SHRAT}$ as given in Theorem 1. In particular, it is the case that:

(a) $\mathtt{P}•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}\underline{\mathtt{sat}}\mathtt{noCALL}({\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm})$ while

(b) The first call of $\mathtt{f}.\mathtt{ok}$ in the computation $(\mathtt{P}⊴\mathtt{f}.\mathtt{ok}⊵\mathtt{Q})•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ receives reply $\mathtt{false}$ from $\mathtt{SHRAT}$.

To prove (b), first notice that the call $\mathtt{f}.\mathtt{ok}$ requests $\mathtt{SHRAT}$ to evaluate the reply condition ${\theta }_{\mathtt{SHRAT}}$. It must be shown that for each reply function $\beta :{\left\{\mathtt{ok}\right\}}^{+}\to \{\mathtt{true},\mathtt{false}\}$ it is the case that $\mathtt{P}•\mathtt{f}.\mathtt{RFS}\left(\right\{\mathtt{ok}\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm})$. The latter computation starts with the call ${\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}$ which will return $\mathtt{false}$ if and only if two different ordinary services ${\mathtt{K}}_{\mathtt{a}}$ and ${\mathtt{K}}_{\mathtt{b}}$ exist so that

${\mathtt{R}}_{\mathtt{1}}•\mathtt{f}.\mathtt{RFS}(\left\{\mathtt{ok}\right\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{a}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{1})$, and

${\mathtt{R}}_{\mathtt{1}}•\mathtt{f}.\mathtt{RFS}(\left\{\mathtt{ok}\right\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{b}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{2})$, with

${\mathtt{R}}_{\mathtt{1}}=$$({\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{1}\circ ({\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm}\circ \mathtt{S}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{2}⊵\mathtt{S}))⊴\mathtt{f}.\mathtt{ok}⊵({\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{2}\circ ({\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm}\circ \mathtt{S}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{3}⊵\mathtt{S})))$.

There are two cases $\beta \left(\mathtt{ok}\right)=\mathtt{true}$ and $\beta \left(\mathtt{ok}\right)=\mathtt{false}$. If $\beta \left(\mathtt{ok}\right)=\mathtt{true}$, then both computations (for ${\mathtt{K}}_{\mathtt{a}}$ and for ${\mathtt{K}}_{\mathtt{b}}$) proceed with a reply $\mathtt{true}$ in the next step, i.e., the call $\mathtt{f}.\mathtt{ok}$, and both computations will subsequently perform a call of ${\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{1}$ and will therefore not perform a call of ${\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{2}$. It follows, in this case, that the criterion for returning $\mathtt{false}$ on the call ${\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}$ is not satisfied, and $\mathtt{true}$ is returned as a reply. For the case $\beta \left(\mathtt{ok}\right)=\mathtt{false}$, a similar argument leads to the same conclusion.

We find that the reply of ${\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}$ on the method call ${\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}$ in the computation starting from $\mathtt{P}•\mathtt{f}.\mathtt{RFS}\left(\right\{\mathtt{ok}\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ must be $\mathtt{true}$ and therefore the next state of the computation is ${\mathtt{R}}_{\mathtt{1}}•\mathtt{f}.\mathtt{RFS}(\left\{\mathtt{ok}\right\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$. Now, two cases can be distinguished: $\beta \left(\mathtt{ok}\right)=\mathtt{true}$ and $\beta \left(\mathtt{ok}\right)=\mathtt{false}$.

In the first case, the computation of ${\mathtt{R}}_{\mathtt{1}}•\mathtt{f}.\mathtt{RFS}(\left\{\mathtt{ok}\right\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ proceeds to

$({\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{1}\circ ({\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm}\circ \mathtt{S}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{2}⊵\mathtt{S}))•\mathtt{f}.\mathtt{RFS}(\left\{\mathtt{ok}\right\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{b}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$. After a step for the call ${\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{1}$, the call ${\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{2}$ will produce reply $\mathtt{true}$ (on the basis of the specification of ${\mathtt{K}}_{\mathtt{1}}$), so that the subsequent step is a call ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm}$. A similar argument applies if $\beta \left(\mathtt{ok}\right)=\mathtt{false}$. This proves that the call ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm}$ is unavoidable, which proves (b) above.

For (a), it must be shown that

$({\mathtt{R}}_{\mathtt{1}}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}⊵\mathtt{S})•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}\underline{\mathtt{sat}}\mathtt{noCALL}({\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm})$. In the second step of the computation, ${\mathtt{K}}_{\mathtt{1}}$ produces a reply to the call ${\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}$. The latter reply of ${\mathtt{K}}_{\mathtt{1}}$ equals $\mathtt{false}$. To see this, one notices that when choosing ${\mathtt{K}}_{\mathtt{a}}$ (as a possible future for itself, such that the next reply on $\mathtt{m}\mathtt{2}$ is $\mathtt{false}$ and the next reply on $\mathtt{m}\mathtt{3}$ is $\mathtt{true}$), the reply of $\mathtt{SHRAT}$ to the next call of $\mathtt{f}.\mathtt{ok}$ would be $\mathtt{false}$, because otherwise ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm}$ would become unavoidable. Moreover, the action ${\mathtt{g}}_{\mathtt{2}}.\mathtt{m}\mathtt{2}$ will take place.

Alternatively, upon contemplating ${\mathtt{K}}_{\mathtt{b}}$ as a possible future behaviour of ${\mathtt{K}}_{\mathtt{1}}$ so that the next reply to a call $\mathtt{m}\mathtt{2}$ is $\mathtt{true}$ and the next reply on $\mathtt{m}\mathtt{3}$ is $\mathtt{false}$, the reply of $\mathtt{SHRAT}$ to the next call of $\mathtt{f}.\mathtt{ok}$ would be $\mathtt{true}$, because otherwise ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{harm}$ would become unavoidable. Moreover the action ${\mathtt{g}}_{\mathtt{2}}.\mathtt{u}\mathtt{2}$ will take place.

So, given the fact that these two different computations for ${\mathtt{K}}_{\mathtt{a}}$ and ${\mathtt{K}}_{\mathtt{b}}$ are possible, the reply of ${\mathtt{K}}_{\mathtt{1}}$ to the initial method call ${\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}$ (in the computation $({\mathtt{R}}_{\mathtt{1}}⊴{\mathtt{g}}_{\mathtt{1}}.\mathtt{m}\mathtt{1}⊵\mathtt{S})•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$) equals $\mathtt{false}$ (due to the particular non-ordinary definition of ${\mathtt{K}}_{\mathtt{1}}$). So the computation proceeds to $\mathtt{S}•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ which will not perform any basic action any longer such that $\mathtt{noCALL}({\mathtt{g}}_{\mathtt{2}}:\mathtt{do}:\mathtt{harm})$ is satisfied, which proves (a). □

4. Promoting a Method Call

Rather than for avoiding a certain method call, prospection may, for whatever reason, be used to promote it taking place, i.e., to guarantee that it will take place if that guarantee can be given. However, the simplest foresight pattern to that extent fails. Instead of an action $\mathtt{do}:\mathtt{harm}$, which is preferably avoided, the presence of an action $\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ which is preferably performed may be assumed.

Theorem 3.

Let $\mathtt{m},\mathtt{i}\in \mathbb{N}$, $\mathtt{1}\le \mathtt{i}\le \mathtt{m}$ and let ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{m}}$ be ordinary services with $\mathtt{do}:\mathtt{no}\_\mathtt{harm}\in {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{i}}\right)$. There is no single state service $\mathtt{H}$ with ${\mathtt{I}}_{\mathsf{method}}\left(\mathtt{H}\right)=\left\{\mathtt{find}\right\}$ such that the following holds:

for all threads $\mathtt{P}$ and $\mathtt{Q}$ with required interfaces included in $\mathtt{J}={\mathtt{I}}_{\mathtt{provided}}(\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}})$, the reply of the service $\mathtt{H}$ to the first method call in the computation $(\mathtt{P}⊴\mathtt{h}.\mathtt{find}⊵\mathtt{Q})•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ equals $\mathtt{true}$ if and only if it is the case that $\mathtt{P}•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm})$.

Proof. 

Suppose otherwise, and let $\mathtt{H}$ meet the requirements of the Theorem. Using the notation of Theorem 3, let $\mathtt{P}=\mathtt{P}⊴\mathtt{h}.\mathtt{find}⊵({\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}\circ \mathtt{S})$ and $\mathtt{Q}={\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}\circ \mathtt{S}$.

First assume that $\mathtt{H}$ replies $\mathtt{true}$ on the first call $\mathtt{h}.\mathtt{find}$. Then after processing the positive reply, the computation returns to precisely the same state as it was in before said method call. Now, because $\mathtt{H}$ is a single-state service, the computation enters in a loop from which it will not escape and during which no method call ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ will be performed. It follows that on a positive reply to the first call to $\mathtt{H}$, it is not the case that $\mathtt{P}•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ will perform the required method call, so that the requirement on $\mathtt{H}$ is violated in that case.

Hence, it may be assumed that the first method call $\mathtt{h}.\mathtt{find}$ receives reply $\mathtt{false}$. In that case, given the assumptions made on $\mathtt{H}$ in the theorem, such will also be the case of the computation $\mathtt{P}•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$, which is precisely the same and which is processed with $\mathtt{H}$ from the same unique state. In that case, because of the negative reply, the method call ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ will be performed in the computation of $\mathtt{P}•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ so that a mismatch with the requirement on $\mathtt{H}$ arises. □

Theorem 3 generalises to stateful prospecting services. First notice that the definition of a single state prospecting service can be easily adapted to involve several methods:

Definition 10 (Single state multi-method prospecting service).

${{\mathtt{L}}^{{\mathtt{m}}_{\mathtt{1}},\dots ,{\mathtt{m}}_{\mathtt{t}}}}_{{\theta }_{\mathtt{1}},\dots ,{\theta }_{\mathtt{t}}}$ uses ${\theta }_{\mathtt{i}}$ to determine which reply to produce on a call of method ${\mathtt{m}}_{\mathtt{i}}$. Definition 5 is adapted by using a quantifier of type ${\{{\mathtt{m}}_{\mathtt{1}},\dots ,{\mathtt{m}}_{\mathtt{t}}\}}^{+}\to \{\mathtt{true},\mathtt{false}\}$ instead.

Definition 11 (Stateful multi-method prospecting service).

A prospecting service $\mathtt{L}$ with method interface $\mathtt{J}$, a state space $\mathtt{S}$ and an effect function $\eta :\mathtt{J}\times \mathtt{S}\times \{\mathtt{true},\mathtt{false}\}\to \mathtt{S}$ can be defined if for each $\mathtt{s}\in \mathtt{S}$, and $\mathtt{z}\in \mathtt{J}$, a lookahead condition $\theta (\mathtt{s},\mathtt{m})\in {\mathtt{CLA}}_{\mathtt{I}}^{{\mathtt{I}}_{\mathtt{dm}}\left(\mathtt{I}\right)}$ is given which determines the reply on method $\mathtt{m}\in \mathtt{J}$ in state $\mathtt{s}$ of $\mathtt{L}$.

A workable notation for a service of this form with method interface $\mathtt{J}$ is $\mathtt{L}(\mathtt{Z},\mathtt{S},{\mathtt{s}}_{\mathtt{0}},\eta ,\theta )$ with $\eta :\mathtt{Z}\times \mathtt{S}\times \{\mathtt{true},\mathtt{false}\}\to \mathtt{S}$ and $\theta :\mathtt{Z}\times \mathtt{S}$ a lookahead condition. We will refer to services of this form as stateful with an ordinary effect function.

Services with multiple states will use the result of the evaluation of a reply condition for determining the next state transition (the result of the effect function). Then, the effect function has type $\mathtt{effect}:\mathtt{Z}\times \mathtt{S}\times \mathtt{BOOL}\to \mathtt{S}$ where the third argument is taken to be the reply value which is given in the same step.

Proposition 8.

Let $\mathtt{n},\mathtt{i}\in \mathbb{N}$, $\mathtt{1}\le \mathtt{i}\le \mathtt{n}$ and let ${\mathtt{J}}_{\mathtt{1}},\dots ,{\mathtt{J}}_{\mathtt{n}}$ be method interfaces with $\mathtt{do}:\mathtt{no}\_\mathtt{harm}\in {\mathtt{J}}_{\mathtt{i}}$. Let $\mathtt{J}=\{\mathtt{h}.\mathtt{find}\}\cup {\mathtt{g}}_{\mathtt{1}}.{\mathtt{J}}_{\mathtt{1}}\cup \dots \cup {\mathtt{g}}_{\mathtt{n}}.{\mathtt{J}}_{\mathtt{n}}$. There is no stateful prospecting service

$\mathtt{L}\equiv \mathtt{L}(\left\{\mathtt{find}\right\},\mathtt{S},{\mathtt{s}}_{\mathtt{0}},\eta ,\theta )$ for which the following holds:

for all $\mathtt{n}$-tuples of ordinary services ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{n}}$, with ${\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{1}}\right)\subseteq {\mathtt{J}}_{\mathtt{1}},\dots ,{\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{n}}\right)\subseteq {\mathtt{J}}_{\mathtt{n}}$, for all states $\mathtt{s}\in \mathtt{S}$, and for all threads $\mathtt{P}$ and $\mathtt{Q}$ with required interfaces included in $\mathtt{J}$, the reply of the service $\mathtt{L}\left(\right\{\mathtt{find}\},\mathtt{S},\mathtt{s},\eta ,\theta )$ to the first method call in the computation

$(\mathtt{P}⊴\mathtt{h}.\mathtt{find}⊵\mathtt{Q})•\mathtt{h}.\mathtt{L}\left(\right\{\mathtt{find}\},\mathtt{S},\mathtt{s},\eta ,\theta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ equals $\mathtt{true}$ if and only if

$\mathtt{P}•\mathtt{h}.\mathtt{L}\left(\right\{\mathtt{find}\},\mathtt{S},\eta (\mathtt{find},\mathtt{s},\mathtt{true}),\eta ,\theta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm})$.

Proof. 

Suppose otherwise, and let $\mathtt{L}(\left\{\mathtt{find}\right\},\mathtt{S},{\mathtt{s}}_{\mathtt{0}},\eta ,\theta )$ meet the stated requirements. Choose threads $\mathtt{P}$ and $\mathtt{Q}$ as follows: $\mathtt{P}=\mathtt{P}⊴\mathtt{h}.\mathtt{find}⊵({\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}\circ \mathtt{S})$ and $\mathtt{Q}={\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}\circ \mathtt{S}$ and let $\mathtt{s}\in \mathtt{S}$: ${\mathtt{A}}_{\mathtt{s}}\equiv \mathtt{P}•\mathtt{h}.\mathtt{L}(\mathtt{find},\mathtt{S},\mathtt{s},\eta ,\theta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$. Suppose ${\mathtt{A}}_{\mathtt{s}}\underline{\mathtt{sat}}\neg \theta (\mathtt{s},\mathtt{find})$. For $\mathtt{s}\in \mathtt{S}$ let ${\mathtt{U}}_{\mathtt{s}}$ be the smallest subset of $\mathtt{S}$ which contains $\eta (\mathtt{find},\mathtt{s},\mathtt{true})$ and which contains $\eta (\mathtt{find},\mathtt{t},\mathtt{true})$ for each $\mathtt{t}\in \mathtt{S}$. It must be the case that for all $\mathtt{t}\in {\mathtt{U}}_{\mathtt{s}}$, ${\mathtt{A}}_{\mathtt{t}}\underline{\mathtt{sat}}\theta (\mathtt{t},\mathtt{find})$, because otherwise the computation from architerm ${\mathtt{A}}_{\eta (\mathtt{find},\mathtt{s},\mathtt{true})}$ will perform a method call ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ after as many steps as needed to arrive at a state $\mathtt{t}\in {\mathtt{U}}_{\mathtt{s}}$ with ${\mathtt{A}}_{\mathtt{t}}\underline{\mathtt{sat}}\neg \theta (\mathtt{t},\mathtt{find})$ so that, given the requirements on $\mathtt{L}$, ${\mathtt{A}}_{\mathtt{s}}\underline{\mathtt{sat}}\theta (\mathtt{s},\mathtt{find})$ must be expected instead, thereby contradicting the above assumption that ${\mathtt{A}}_{\mathtt{s}}\underline{\mathtt{sat}}\neg \theta (\mathtt{s},\mathtt{find})$. It follows that for all states $\mathtt{s}$, of $\mathtt{L}\left(\right\{\mathtt{find}\},\mathtt{S},\mathtt{s},\eta ,\theta )$ it is the case that ${\mathtt{A}}_{\mathtt{s}}\underline{\mathtt{sat}}\theta (\mathtt{s},\mathtt{find})$ whence ${\mathtt{A}}_{{\mathtt{s}}_{\mathtt{0}}}\underline{\mathtt{sat}}\mathtt{PERP}$ without ever performing ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$, from which it follows, with the requirements on $\mathtt{L}$ in the theorem, that ${\mathtt{A}}_{{\mathtt{s}}_{\mathtt{0}}}\underline{\mathtt{sat}}\neg \theta ({\mathtt{s}}_{\mathtt{0}},\mathtt{find})$ should hold, which yields a contradiction with the facts just established about $\mathtt{L}$, thus concluding the proof. □

Method Call Promotion with a Single State Prospecting Service: $\mathtt{MCP}$

The single state service $\mathtt{MCP}$ has state $\mathtt{s}$ and method interface $\left\{\mathtt{find}\right\}$, and it is made accessible via focus $\mathtt{h}$, which differs from ${\mathtt{g}}_{\mathtt{1}},\dots ,{\mathtt{g}}_{\mathtt{m}}$. In a context $(\mathtt{P}⊴\mathtt{f}.\mathtt{find}⊵\mathtt{Q})•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$, the intended foresight pattern comprises that $\mathtt{MCP}$ produces replies in such a way that (i) a shortest path to a call of ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ is found, and (ii) a positive reply is preferred in case (i) with both choices shortest paths to a call of ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ of equal lengths can be found or (ii) no such paths can be found at all.

A reply $\mathtt{r}$ to the call $\mathtt{h}.\mathtt{find}$ (i.e., $\theta (\mathtt{s},\mathtt{find})$, in the context $(\mathtt{P}⊴\mathtt{h}.\mathtt{find}⊵\mathtt{Q})•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ as mentioned above) is computed as follows: $\mathtt{r}=\theta (\mathtt{s},\mathtt{find})=\psi \vee \neg \chi$ with

$$\begin{array}{c}\psi \equiv \forall \alpha :{\left\{\mathtt{find}\right\}}^{+}\to \{\mathtt{true},\mathtt{false}\}[\hfill \\ \mathtt{Q}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},\alpha )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}\underline{\mathtt{sat}}\mathtt{noCALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm})]\hfill \\ \\ \chi \equiv \forall \alpha :{\left\{\mathtt{find}\right\}}^{+}\to \{\mathtt{true},\mathtt{false}\},\forall \mathtt{k}\in {\mathbb{N}}^{+}[\hfill \\ \mathtt{P}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},\alpha )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}\underline{\mathtt{sat}}\mathtt{CALLat}(\mathtt{k},{\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm})\hfill \\ \Rightarrow \exists \gamma :{\left\{\mathtt{find}\right\}}^{+}\to \{\mathtt{true},\mathtt{false}\},\exists \mathtt{l}\in {\mathbb{N}}^{+}[\mathtt{l}<\mathtt{k}\&\hfill \\ \mathtt{Q}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},\gamma )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}\underline{\mathtt{sat}}\mathtt{CALLat}(\mathtt{l},{\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm})]\hfill \\ ]\hfill \end{array}$$

In other words: the reply is $\mathtt{true}$ if upon processing that reply (i.e., proceeding with $\mathtt{P}$), under the assumption that $\mathtt{H}$ is non-deterministic, a shortest path (of a computation of $(\mathtt{P}⊴\mathtt{h}.\mathtt{find}⊵\mathtt{Q})•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$) to a call of ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ can be found, or if such a path does not exist.

Or, phrased alternatively, the reply is $\mathtt{false}$ if only upon proceeding with $\mathtt{Q}$ a path in the computation of $\mathtt{Q}•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ to a call of ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ (with non-deterministic $\mathtt{H}$) can be found, which is shorter than any such path in the computation of $\mathtt{P}•\mathtt{h}.\mathtt{H}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$.

Proposition 9.

Let $\mathtt{m},\mathtt{i}\in \mathbb{N}$, $\mathtt{1}\le \mathtt{i}\le \mathtt{m}$ and let ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{m}}$ be ordinary (i.e., non-lookahead) services with $\mathtt{do}:\mathtt{no}\_\mathtt{harm}\in {\mathtt{I}}_{\mathsf{method}}\left({\mathtt{K}}_{\mathtt{i}}\right)$.

Then, for all threads $\mathtt{P}$ with ${\mathtt{I}}_{\mathsf{required}}\left(\mathtt{P}\right)\subseteq \mathtt{J}=\{\mathtt{h}.\mathtt{find}\}\cup {\mathtt{g}}_{\mathtt{1}}.{\mathtt{J}}_{\mathtt{1}}\cup \dots \cup {\mathtt{g}}_{\mathtt{m}}.{\mathtt{J}}_{\mathtt{m}}$, the following implication holds: if there is a function $\beta \in {\left\{\mathtt{find}\right\}}^{+}\to \{\mathtt{true},\mathtt{false}\}$ such that

$\mathtt{P}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm})$ then also

$\mathtt{P}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}\underline{\mathtt{sat}}\mathtt{CALL}({\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm})$.

Proof. 

Without loss of generality and for the ease of notation, We will assume that $\mathtt{m}=\mathtt{2}$ and $\mathtt{i}=\mathtt{2}$. Let for natural number $\mathtt{k}>\mathtt{0}$, ${\chi }_{\mathtt{k}}$ be the following assertion:

Let ${\mathtt{K}}_{\mathtt{1}},{\mathtt{K}}_{\mathtt{2}}$ be ordinary (i.e., non-lookahead) services with $\mathtt{do}:\mathtt{no}\_\mathtt{harm}\in {\mathtt{I}}_{\mathtt{method}}\left({\mathtt{K}}_{\mathtt{2}}\right)$, and let $\mathtt{P}$ be a thread with required interface included in $\mathtt{J}$, then if there is a Boolean function $\beta$ such that

$\mathtt{P}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}\underline{\mathtt{sat}}\mathtt{CALLat}(\mathtt{k},{\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm})$,

then there is a natural number $\mathtt{l}\le \mathtt{k}$ such that

$\mathtt{P}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}\underline{\mathtt{sat}}\mathtt{CALLat}(\mathtt{l},{\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm})$.

It is immediate that $\forall \mathtt{k}.{\chi }_{\mathtt{k}}$ implies Proposition 10. To prove that for all $\mathtt{k}>\mathtt{0}$, ${\chi }_{\mathtt{k}}$ holds, use induction on $\mathtt{k}$ with $\mathtt{k}=\mathtt{1}$ as the basis. If $\mathtt{k}=\mathtt{1}$ and $\mathtt{P}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ performs a basic instruction ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ as the first step then $\mathtt{P}\equiv {\mathtt{P}}_{\mathtt{1}}⊴{\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}⊵{\mathtt{P}}_{\mathtt{2}}$, for some threads ${\mathtt{P}}_{\mathtt{1}}$ and ${\mathtt{P}}_{\mathtt{2}}$ from which it follows that $\mathtt{P}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ performs ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ as the first step.

Now let $\mathtt{k}=\mathtt{l}+\mathtt{1},\mathtt{l}>\mathtt{0}$. In case $\mathtt{P}=\mathtt{S}$ or $\mathtt{P}=\mathtt{D}$, the required implication is immediate as an instance of material implication. In case $\mathtt{P}\equiv {\mathtt{P}}_{\mathtt{1}}⊴{\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}⊵{\mathtt{P}}_{\mathtt{2}}$, the implication is immediate too. The remaining cases to be checked are (a) $\mathtt{P}\equiv {\mathtt{P}}_{\mathtt{1}}⊴{\mathtt{g}}_{\mathtt{j}}.{\mathtt{m}}_{\mathtt{j}}⊵{\mathtt{P}}_{\mathtt{2}}$ with $\mathtt{j}\in \{\mathtt{1},\mathtt{2}\}$ and ${\mathtt{m}}_{\mathtt{j}}\in {\mathtt{J}}_{\mathtt{j}}$, except the case that $\mathtt{j}=\mathtt{2}$ and ${\mathtt{m}}_{\mathtt{j}}\equiv \mathtt{do}:\mathtt{no}\_\mathtt{harm}$, and (b) $\mathtt{P}\equiv {\mathtt{P}}_{\mathtt{1}}⊴\mathtt{h}.\mathtt{find}⊵{\mathtt{P}}_{\mathtt{2}}$.

In case (a) there are two subcases, $\mathtt{j}=\mathtt{1},\mathtt{j}=\mathtt{2}$ both of which have two subcases: ${\mathtt{K}}_{\mathtt{j}}$ returns $\mathtt{true}$ on the call ${\mathtt{g}}_{\mathtt{j}}.{\mathtt{m}}_{\mathtt{1}}$ and ${\mathtt{K}}_{\mathtt{j}}$ returns $\mathtt{false}$ of the call ${\mathtt{g}}_{\mathtt{j}}.{\mathtt{m}}_{\mathtt{j}}$. Each of these cases works in the same way. We consider the case that $\mathtt{j}=\mathtt{1}$ and that $\mathtt{true}$ is returned. Now, $\mathtt{P}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ performs a single-step transition to ${\mathtt{P}}_{\mathtt{1}}•\mathtt{h}.\mathtt{RFS}(\left\{\mathtt{find}\right\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.\frac{\partial }{\partial {\mathtt{m}}_{\mathtt{1}}}\left({\mathtt{K}}_{\mathtt{1}}\right)\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$. Here, $\frac{\partial }{\partial \mathtt{f}}\left(\mathtt{K}\right)$ denotes the state of a service $\mathtt{K}$ just after having replied to a call of method $\mathtt{f}\in {\mathtt{I}}_{\mathtt{K}}$. It follows that ${\mathtt{P}}_{\mathtt{1}}•\mathtt{h}.\mathtt{RFS}(\left\{\mathtt{find}\right\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.\frac{\partial }{\partial {\mathtt{m}}_{\mathtt{1}}}\left({\mathtt{K}}_{\mathtt{1}}\right)\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ performs ${\mathtt{g}}_{\mathtt{1}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ in at most $\mathtt{l}$ steps. Now the induction hypothesis can be applied to the latter architerm, which yields that the computation of ${\mathtt{P}}_{\mathtt{1}}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.\frac{\partial }{\partial {\mathtt{m}}_{\mathtt{1}}}\left({\mathtt{K}}_{\mathtt{1}}\right)\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ will perform a basic instruction ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ within the first $\mathtt{l}$ steps from which it follows that computing $\mathtt{P}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ involves a call of ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ within the first $\mathtt{k}=\mathtt{l}+\mathtt{1}$ steps.

In case (b), there are again two subcases: (b/t) ${\beta }_{\mathtt{1}}=\mathtt{true}$, and (b/f) ${\beta }_{\mathtt{1}}=\mathtt{false}$. In case (b/t), upon performing a first step, the computation proceeds from ${\mathtt{P}}_{\mathtt{1}}•\mathtt{h}.\mathtt{RFS}(\left\{\mathtt{find}\right\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ arriving at a method call ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ at the $\mathtt{l}$-th step. Using the induction hypothesis, the computation of ${\mathtt{P}}_{\mathtt{1}}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ performs a method call ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ within the first $\mathtt{l}$ steps. Now, once more, there are two cases: (b/t/t) the reply on the first method call in the computation of $({\mathtt{P}}_{\mathtt{1}}⊴\mathtt{h}.\mathtt{find}⊵{\mathtt{P}}_{\mathtt{2}})•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ is $\mathtt{true}$, and (b/t/f) the mentioned reply equals $\mathtt{false}$. In the first case, it is immediate that the computation of $({\mathtt{P}}_{\mathtt{1}}⊴\mathtt{h}.\mathtt{find}⊵{\mathtt{P}}_{\mathtt{2}})•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ contains a call of ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ within $\mathtt{l}+\mathtt{1}$ steps. In the second case (b/t/f) in view of the definition of $\mathtt{MCP}$, with ${\beta }^{\prime }=\lambda \mathtt{x}\in {\left\{\mathtt{find}\right\}}^{+}.\beta \left({\mathtt{find}}^{⌢}\mathtt{x}\right)$, it must be so that the computation of ${\mathtt{P}}_{\mathtt{2}}•\mathtt{h}.\mathtt{RFS}(\left\{\mathtt{find}\right\},{\beta }^{\prime })\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ performs a call of ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$, and in fact within less than $\mathtt{l}$ steps. Now, with the induction hypothesis, it follows that the computation of ${\mathtt{P}}_{\mathtt{2}}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ involves a call of ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ within $\mathtt{l}$ steps, from which it follows (with the assumption for case (b/t/f), that the computation of $\mathtt{P}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus {\mathtt{g}}_{\mathtt{2}}.{\mathtt{K}}_{\mathtt{2}}$ involves a call of ${\mathtt{g}}_{\mathtt{2}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ within $\mathtt{l}+\mathtt{1}$ steps. The argument in case (b/f) is very similar to the case for (b/t), and is deleted for that reason. □

Proposition 10.

Let $\mathtt{m},\mathtt{i}\in \mathbb{N}$, $\mathtt{1}\le \mathtt{i}\le \mathtt{m}$ and let ${\mathtt{K}}_{\mathtt{1}},\dots ,{\mathtt{K}}_{\mathtt{m}}$ and $\mathtt{P},\mathtt{Q}$ be as in Proposition 9.

Then the reply of the service $\mathtt{MCP}$ (as defined above) to the first method call in the computation $(\mathtt{P}⊴\mathtt{h}.\mathtt{find}⊵\mathtt{Q})•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ equals $\mathtt{false}$ if and only if the following condition is satisfied:

for some positive $\mathtt{k}\in \mathbb{N}$, the computation $\mathtt{Q}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs the method call ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ in the $\mathtt{k}$’th step while $\mathtt{P}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ does not reach an occurrence of the method call ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ in $\mathtt{l}$ steps for some $\mathtt{l}\le \mathtt{k}$.

Proof. 

This proof is a straightforward though somewhat tedious consequence of Proposition 9. Suppose that the reply of $\mathtt{MCP}$ to the first method call in the computation $(\mathtt{P}⊴\mathtt{h}.\mathtt{find}⊵\mathtt{Q})•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ equals $\mathtt{false}$. Then in view of the definition of $\mathtt{MCP}$, there exists a function $\beta$ such that the computation $\mathtt{Q}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},\beta )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$. With Proposition 9, it follows that the computation $\mathtt{Q}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$, say, at the $\mathtt{k}$-th step. Following this computation, one finds that for some function $\alpha$, it must be the case that $\mathtt{Q}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},\alpha )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ in the $\mathtt{k}$-th step, moreover for function ${\alpha }^{\prime }$, the computation $\mathtt{Q}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},{\alpha }^{\prime })\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ within fewer than $\mathtt{k}$ steps. Now contemplating the definition of $\mathtt{MCP}$, one notices that its condition $\psi$ is not satisfied, whence its condition $\chi$ must be satisfied, from which it follows that for no function $\gamma$, it is the case that $\mathtt{P}•\mathtt{h}.\mathtt{RFS}\left(\right\{\mathtt{find}\},\gamma )\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ within $\mathtt{k}$ or fewer steps, from which it follows by Proposition 9 that $\mathtt{P}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ does not perform a method call within $\mathtt{k}$ steps or less. This proves one direction of the Theorem; the argument in the other direction is quite similar, and is deleted for that reason. □

Theorem 4.

With the same assumptions as in Propositions 9 and 10: for all threads $\mathtt{P},\mathtt{Q}$ with required interface included in $\mathtt{J}=\{\mathtt{h}.\mathtt{find}\}\cup {\mathtt{g}}_{\mathtt{1}}.{\mathtt{I}}_{{\mathtt{K}}_{\mathtt{1}}}\cup \dots \cup {\mathtt{g}}_{\mathtt{m}}.{\mathtt{I}}_{{\mathtt{K}}_{\mathtt{m}}}$, the following implication holds: if $\mathtt{P}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs a basic instruction ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ or $\mathtt{Q}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs a basic instruction ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$ then also $(\mathtt{P}⊴\mathtt{h}.\mathtt{find}⊵\mathtt{Q})•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs a basic instruction ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$.

Proof. 

This result follows from Proposition 10 plus the observation that if $\mathtt{P}•\mathtt{h}.\mathtt{MCP}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs a basic instruction ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$, then for some Boolean function $\beta$ also $\mathtt{P}•\mathtt{h}.{\mathtt{MCP}}_{\beta }\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{m}}.{\mathtt{K}}_{\mathtt{m}}$ performs a basic instruction ${\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{no}\_\mathtt{harm}$. □

Problem 3.

Consider architerms containing both a $\mathtt{SHRAT}$ service and an $\mathtt{MCP}$ service. Can Theorem 4 be generalised to this case?

5. Lookahead Instructions

Threads provide abstractions from sequential programs. The impossibility result of Cohen on virus detection was formulated in terms of programs rather than in terms of threads and services. In this section, we will consider how the results on lookahead services may be used for obtaining information at the lower abstraction level of instruction sequences.

Special instructions may be designed, which incorporate the support of lookahead services into instruction (sequence) processing without making explicit calls to a lookahead service. Leaving apart the task of designing a syntax for such instructions in general, it is already informative to consider some simple special cases.

With $\mathtt{a}\S \mathtt{f}.\mathtt{m}$, for $\mathtt{a}$ a positive natural number, we will denote the following condition which may be evaluated during a run at some position (instruction) in an instruction sequence. Let $\mathtt{X};\mathtt{Y}$ be an instruction sequence such that $\mathtt{LLOC}\left(\mathtt{X}\right)=\mathtt{b}-\mathtt{1}$. Now $\mathtt{a}\S \mathtt{f}.\mathtt{m}$, when evaluated at position $\mathtt{b}$ asserts that a computation of $\mathtt{X};\mathtt{Y}$ when stated at the beginning of $\mathtt{Y}$ will proceed in such a manner that the $\mathtt{a}$’th step is a basic action involving a method call $\mathtt{f}.\mathtt{m}$, i.e., either the void method call or a test $+\mathtt{f}.\mathtt{m}$ or a test $-\mathtt{f}.\mathtt{m}$. If the computation has terminated, either properly or improperly, at or before the $\mathtt{a}$’th step, the value of a $\mathtt{a}\S \mathtt{f}.\mathtt{m}$ is considered $\mathtt{false}$.

Making use of a lookahead condition is not an obvious matter. The simplest idea is to use the condition as a test which is evaluated at the position where it occurs. However, in ${\mathtt{X}}_{\mathtt{1}}=\#\mathtt{1};\mathtt{g}.\mathtt{m}\mathtt{1};-(\mathtt{2}\S \mathtt{f}.\mathtt{m});\mathtt{f}.\mathtt{m};!$, a difficulty arises. Assuming that at position $\mathtt{3}$, the condition $\mathtt{2}\S \mathtt{f}.\mathtt{m}$ takes value $\mathtt{true}$, then upon starting the run in position $\mathtt{3}$, the result of the test is positive and because of its embedding in a negative test instruction, the instruction is performed as if it were $\#2$ so that as a second step in the run, termination (!) occurs, which implies that the evaluation of $\mathtt{2}\S \mathtt{f}.\mathtt{m}$ at position $\mathtt{3}$ should have taken value $\mathtt{false}$ in hindsight. Alternatively one may consider the possibility that evaluation of the condition $\mathtt{2}\S \mathtt{f}.\mathtt{m}$ at position $\mathtt{3}$ yields value $\mathtt{false}$, and then the third instruction is performed as if it were $\#\mathtt{1}$ so that the second step is $\mathtt{f}.\mathtt{m}$ so that, again in hindsight, $\mathtt{2}\S \mathtt{f}.\mathtt{m}$ (evaluated at position $\mathtt{3}$) should have yielded value $\mathtt{true}$. The instruction $-(\mathtt{2}\S \mathtt{f}.\mathtt{m})$ is, in this context, paradoxical because no evaluation of its embedded condition is possible. In that case, a run of ${\mathtt{X}}_{\mathtt{1}}$ involving the putting into effect of the third instruction is said to terminate improperly (just like $\#0$).

By first jumping to another position, either forward or backward, the mentioned paradox may be avoided, though not fully. With $\#\mathtt{b}\S \mathtt{a}\S \mathtt{f}.\mathtt{m}$, the condition is denoted which, when evaluated at position $\mathtt{p}$ amounts to evaluating $\mathtt{a}\S \mathtt{f}.\mathtt{m}$ at position $\mathtt{p}+\mathtt{b}$. If that position lies outside the range of instructions, the result is $\mathtt{false}$. Similarly the condition $\backslash \#\mathtt{b}\S \mathtt{a}\S \mathtt{f}.\mathtt{m}$ is evaluated by evaluating $\mathtt{a}\S \mathtt{f}.\mathtt{m}$ at position $\mathtt{p}-\mathtt{b}$, again returning $\mathtt{false}$ if that position is $\mathtt{0}$ or lower. Consider ${\mathtt{X}}_{\mathtt{2}}=\#\mathtt{1};\mathtt{g}.\mathtt{m}\mathtt{1};-(\#\mathtt{1}\S \mathtt{2}\S \mathtt{f}.\mathtt{m});+\mathtt{g}.\mathtt{m}\mathtt{2};\mathtt{f}.\mathtt{m};\#\mathtt{0};!$ When evaluating $\#\mathtt{1}\S \mathtt{2}\S \mathtt{f}.\mathtt{m}$ at position $\mathtt{3}$, the hypothetical computation has to start at position $\mathtt{4}$, then as the first step, the test $+\mathtt{g}.\mathtt{m}\mathtt{2}$ is performed, and then depending on the result either the call $\mathtt{f}.\mathtt{m}$ is made (so that the evaluation of $\#\mathtt{1}\S \mathtt{2}\S \mathtt{f}.\mathtt{m}$ yields $\mathtt{true}$) or improper termination results (so that the evaluation of $\#\mathtt{1}\S \mathtt{2}\S \mathtt{f}.\mathtt{m}$ yields $\mathtt{false}$).

A paradoxical situation may result if the computation started at position $\mathtt{p}+\mathtt{b}$ for an evaluation of $\#\mathtt{b}\S \mathtt{a}\S \mathtt{f}.\mathtt{m}$ at position $\mathtt{p}$ visits the test instruction (say $+(\#\mathtt{b}\S \mathtt{a}\S \mathtt{f}.\mathtt{m})$) within $\mathtt{k}$ steps. In that case, it is assumed that no definite value can be found for the condition $\#\mathtt{b}\S \mathtt{a}\S \mathtt{f}.\mathtt{m}$ and that the execution of the instruction $+(\#\mathtt{b}\S \mathtt{a}\S \mathtt{f}.\mathtt{m})$ at position $\mathtt{p}$ runs into improper termination. With the understanding that, say $-(\mathtt{2}\S \mathtt{f}.\mathtt{m})$ is an abbreviation of $-(\#\mathtt{0}\S \mathtt{2}\S \mathtt{f}.\mathtt{m})$, it is plausible to adopt the convention that $-(\mathtt{2}\S \mathtt{f}.\mathtt{m})$ leads to improper termination immediately, because the test is called before an evaluation of the embedded condition is known.

For the (hypothetical) processing of a condition $\#\mathtt{b}\S \mathtt{a}\S \mathtt{f}.\mathtt{m}$, say, occurring as an embedded instruction in a test $+(\#\mathtt{b}\S \mathtt{a}\S \mathtt{f}.\mathtt{m})$ at position $\mathtt{p}$ in an instruction sequence $\mathtt{X}$, we notice the following:

(i) It does not change the state of any service (because it is a hypothetical form of processing);

(ii) It returns $\mathtt{true}$ if, when (hypothetically) the computation is performed, that computation will perform a basic action $\mathtt{f}.\mathtt{m}$ in the $\mathtt{a}$-th step (without any visit to the $\mathtt{p}$’th instruction in between);

(iii) It returns $\mathtt{false}$ otherwise (including the cases that proper or improper termination arises before the a’th step of the computation).

Implementing a Lookahead Instruction via a Prospective Service

A useful modification of the lookahead instructions $+(\#\mathtt{b}\S \mathtt{a}\S \mathtt{f}.\mathtt{m})$ and $-(\#\mathtt{b}\S \mathtt{a}\S \mathtt{f}.\mathtt{m})$ is as follows: $+(\#\mathtt{b}\S \mathtt{F}\S \mathtt{f}.\mathtt{m})$ and $-(\#\mathtt{b}\S \mathtt{F}\S \mathtt{f}.\mathtt{m})$ include tests which require that at least once during a run, a basic action or test based on the method call $\mathtt{f}.\mathtt{m}$ is performed.

The positive result in Theorem 1 can be used for clarifying the feasibility of a specific lookahead instruction. Here, the use of infinite instruction sequences, obtained via repetition of a finite instruction sequence, comes in handy. As was shown in [2], repetition, which underlies the program algebra PGA, has the expressive power of arbitrary flow charts though without making use of backward jumps.

Proposition 11.

Let $\mathtt{U}\equiv -(\#\mathtt{1}\S \mathtt{F}\S {\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm})$. Let $\mathtt{X}$ be an instruction sequence with zero or more occurrences of $\mathtt{U}$ as its only lookahead instructions and without backward jumps and with required interface contained in $\mathtt{J}={\mathtt{I}}_{\mathtt{provided}}({\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}})$. Let ${\mathtt{X}}^{\prime }$ be obtained from $\mathtt{X}$ by replacing each occurrence of $\mathtt{U}$ by the method call $+\mathtt{f}.\mathtt{ok}$.

Then, upon defining $\left|\mathtt{X}\right|•{\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$ as $|{\mathtt{X}}^{\prime }|•\mathtt{f}.\mathtt{SHRAT}\oplus {\mathtt{g}}_{\mathtt{1}}.{\mathtt{K}}_{\mathtt{1}}\oplus \cdots \oplus {\mathtt{g}}_{\mathtt{n}}.{\mathtt{K}}_{\mathtt{n}}$, the semantics of instruction $\mathtt{U}$ is given in such a way that it complies with the (informal) definition given above for the (lookahead) test instruction $-(\#\mathtt{1}\S \mathtt{F}\S {\mathtt{g}}_{\mathtt{i}}.\mathtt{do}:\mathtt{harm})$.

Proof. 

When using repetition as an instruction sequence constructor, an infinite, repeating, instruction sequence results in which only forward jumps are used. Using this fact, the correspondence between the semantics of instruction $\mathtt{U}$ and its counterpart after thread abstraction is perfect. □

6. Concluding Remarks

Several aspects of this paper suggest further work. The notion of a lookahead condition merits more scrutiny. Perhaps we have not yet been able to prove anything positive about cases where different prospecting services are simultaneously present. As intelligent agents will try to forecast one-another’s behaviour, the idea of different forecasting mechanisms acting in parallel may be considered intuitively obvious, while the mathematics of that situation is not at all clear.

6.1. Multi-Agent Aspects

Suppose ${\mathtt{P}}_{\mathtt{1}},\dots ,{\mathtt{P}}_{\mathtt{n}}$ are threads and ${\mathtt{W}}_{\mathtt{i}}$ are service families such that (i) the different focus interfaces (${\mathtt{I}}_{\mathtt{focus}}\left({\mathtt{W}}_{\mathtt{i}}\right)$) are pairwise disjoint and (ii) ${\mathtt{I}}_{\mathsf{required}}\left({\mathtt{P}}_{\mathtt{i}}\right)\subseteq {\mathtt{I}}_{\mathtt{provided}}\left({\mathtt{W}}_{\mathtt{i}}\right)$. We will assume that the threads constitute a so-called thread vector, so that the ordering matters as well. Following [1], we will write this vector as follows: ${\langle {\mathtt{P}}_{\mathtt{1}}\rangle }^{⃕}{\dots }^{⃕}\langle {\mathtt{P}}_{\mathtt{n}}\rangle$. Then strategic interleaving of the thread vector is denoted with

$${\left|\right|}_{\mathtt{c}}({\langle {\mathtt{P}}_{\mathtt{1}}\rangle }^{⃕}{\dots }^{⃕}\langle {\mathtt{P}}_{\mathtt{n}}\rangle )$$

In [1], a range of different strategic interleaving operations are provided. The idea behind strategic interleaving operators is to model multi-threading in the way it is implemented in programming systems which arrange for deterministic scheduling rather than for some form of the arbitrary interleaving of concurrent threads. The advantage of modelling multi-threading with strategic interleaving is that arguably, that is more realistic. A disadvantage, however, is that the very well understood parallel composition operator based on arbitrary interleaving, which stands at the basis of most process algebras, is replaced by a range of different strategic interleaving operators of increasing complexity.

For cyclic interleaving and variations thereof (as discussed in detail in [1]), the required interface of a thread vector is found by taking the union for the individual threads: ${\mathtt{I}}_{\mathsf{required}}{\left(\right||}_{\mathtt{c}}({\langle {\mathtt{P}}_{\mathtt{1}}\rangle }^{⃕}{\dots }^{⃕}\langle {\mathtt{P}}_{\mathtt{n}}\rangle ))={\cup }_{\mathtt{i}=\mathtt{1}}^{\mathtt{n}}{\mathtt{I}}_{\mathsf{required}}\left({\mathtt{P}}_{\mathtt{i}}\right)$. Because ${\mathtt{I}}_{\mathtt{provided}}({\mathtt{W}}_{\mathtt{1}}\oplus \dots \oplus {\mathtt{W}}_{\mathtt{n}})={\cup }_{\mathtt{i}=\mathtt{1}}^{\mathtt{n}}{\mathtt{I}}_{\mathtt{provided}}\left({\mathtt{W}}_{\mathtt{i}}\right)$ the architerm

$${\left|\right|}_{\mathtt{c}}({\langle {\mathtt{P}}_{\mathtt{1}}\rangle }^{⃕}{\dots }^{⃕}\langle {\mathtt{P}}_{\mathtt{n}}\rangle )•{\mathtt{W}}_{\mathtt{1}}\oplus \dots \oplus {\mathtt{W}}_{\mathtt{n}}$$

makes perfect sense. It follows from Proposition 5 that if, say, ${\mathtt{W}}_{\mathtt{1}}$ contains $\mathtt{f}.\mathtt{SHRAT}$ and this instance of $\mathtt{SHRAT}$ attempts prospection on a basic action, say, $\mathtt{g}.\mathtt{m}$ with $\mathtt{g}\in {\mathtt{I}}_{\mathtt{focus}}\left({\mathtt{W}}_{\mathtt{2}}\right)$ that this will allow ${\mathtt{P}}_{\mathtt{1}}$ to use foresight to the extent that it may only perform certain basic actions in the case that ${\mathtt{P}}_{\mathtt{1}}$ “knows” that ${\mathtt{P}}_{\mathtt{2}}$ will not perform $\mathtt{g}.\mathtt{m}$ in the future. It follows from Theorem 2 that the situation becomes much more complicated if different agents try to make use of prospecting services at the same time. On the other hand, expecting that ${\mathtt{P}}_{\mathtt{1}}$ may be equally certain about guarantees that ${\mathtt{P}}_{\mathtt{2}}$ will actually perform $\mathtt{g}.\mathtt{m}$ in the future may be asking too much in view of Proposition 8.

Collective action and underlying collective intelligence rests upon knowledge that agents have or pretend to have about other agents in the same flock. The results of the paper shed some light on the options and limitations of such knowledge.

6.2. Why Thread Algebra, in the Context of Prospection and Foresight?

Viewed from the perspective of process algebra working with a domain-specific process algebra is an overhead which one might preferably avoid.

The simplest idea on foresight in process algebra is to allow a condition $\mathtt{noACT}\left({\mathtt{a}}_{\mathtt{g}}\left(\mathtt{d}\right)\right)$ which is true if and only if an atomic action ${\mathtt{a}}_{\mathtt{g}}\left(\mathtt{d}\right)$ (i.e., atomic action of type $\mathtt{a}$ at location/port $\mathtt{g}$, with parameter/data, $\mathtt{d}$) will not be performed in the future of the system (process at hand). One may look for a counterpart of Proposition 5 in this case, but there is a problem with that idea.

Indeed consider $\mathtt{P}={\mathtt{a}}_{\mathtt{g}}\left(\mathtt{d}\right)⊲\mathtt{noACT}\left({\mathtt{b}}_{\mathtt{g}}\left(\mathtt{d}\right)\right)⊳{\mathtt{a}}_{\mathtt{g}}\left(\mathtt{d}\right)$ with $\mathtt{a}\ne \mathtt{b}$. $\mathtt{P}$ is paradoxical in the sense that the suggested foresight cannot exist. This very issue of foresight preventing self-reference is, at least to some degree, avoided by working with thread algebra.

6.3. Potential Connections with Classical AI

While prospecting, services which allow the realisation of attractive foresight patterns may be impossible or hypothetical. Reworking the concepts at hand in such a manner that prospecting and foresight can be replaced by computable approximations thereof may be a workable approach. Practical prospecting, especially when based on empirical data may be termed lookahead; practical foresight, again when performed on a scientifically defensible basis, may be termed forecasting. An option for further work along the lines of this paper is to adapt software engineering life-cycle models in two stages: first to make use of the admittedly hypothetical advantage of prospecting services and foresight patterns realised with the help of such services, and thereafter to work with approximations of the various instances of prospecting and foresight, thereby obtaining computable (non-hypothetical) lookahead services and forecasting patterns.